Delegation Logic: A Logic-based Approach to Distributed Authorization

by

Ninghui Li

Advisor: Joan Feigenbaum

Co-advisors: Benjamin Grosof and Alan Siegel

Gzipped postscript (~200K)    Postscript (~500K)    PDF (~400K)

Abstract

We address the problem of authorization in large-scale, open, distributed systems. Authorization decisions are needed in electronic commerce, mobile-code execution, remote resource sharing, content advising, privacy protection, etc. We adopt the trust-management approach, in which ``authorization'' is viewed as a ``proof-of-compliance'' problem: Does a set of credentials prove that a request complies with a policy?

We develop a logic-based language Delegation Logic (DL) to represent policies, credentials, and requests in distributed authorization. Delegation Logic extends logic programming (LP) languages with expressive delegation constructs that feature delegation depth and a wide variety of complex principals (including, but not limited to, k-out-of-n thresholds).

D1LP, the monotonic version of DL, extends the LP language Datalog with delegation constructs. D2LP, the nonmonotonic version of DL, also features classical negation, negation-as-failure, and prioritized conflict handling. Our approach to defining and implementing DL is based on tractably compiling DL programs into ordinary logic programs (OLP's). This compilation approach enables DL to be implemented modularly on top of existing technologies for OLP, e.g., Prolog.

As a trust-management language, Delegation Logic provides a concept of proof-of-compliance that is founded on well-understood principles of logic programming and knowledge representation. DL also provides a logical framework for studying delegation, negation of authority, conflicts between authorities, and their interplay.


Last Modified: August 14, 2000