Active Certificates: A Framework for Delegation Nikita Borisov and Eric Brewer Proceedings of 2002 Network and Distributed System Security Symposium (The Internet Society) Summary: This paper presents an approach to delegation by using mobile code to build "active certificates," cryptographically signed mobile agents that implement a delegation policy. The delegation problem is found in computer systems when a principal (Alice) wishes to delegate some of her rights to another principal (Bob). This enables Bob to gain access to some subset of Alice's privileges. Traditionally, there are two common ways of solving the delegation problem. In the first solution, a public key infrastructure is used to create the concept of a "delegation certificate." Alice cryptographically signs a statement of policy describing what rights she wishes to delegate, how long the delegation should last, and to whom the rights are to be delegated. When access is required, Bob presents the delegation certificate to the access control mechanism which makes an authorization decision. In the second solution, a daemon process, called a proxy, is endowed with sufficient credentials to perform access as the original rights owner. Alice uses a description language to provide the proxy with a description of what subset of her rights she wishes to delegate. When access is required, Bob contacts the proxy which makes an authorization decision based on the delegation policy provided by Alice. Active certificates present a new approach to delegation that provides the best features of both delegation certificates and proxies. An active certificate is a special type of delegation certificate that contains cryptographically signed program code used to make delegation decisions on behalf of a principal. To delegate some of her rights, Alice signs a piece of program code that implements the delegation policy encapsulated in the active certificate. Bob can later present the certificate to an access monitor which instantiates the mobile code to make the access decision. Access certificates provide the advantages of both delegation certificates and proxies, specifically: Expressivity -- By definition, delegation of rights involves weakening of normal access control restrictions. Therefore, a fine-grained delegation policy is highly desirable to avoid weakening these restrictions any more than necessary. Because active certificates are represented with a general programming language, they can be used to express very specific access policies. Transparency -- Applications do not need to be specifically designed to work with active certificates. While a Resource being accessed needs to be aware of and process active certificates, this function can be contained within library components. After an authentication library processes the active certificate and determines whether access to be allowed, the decision can be passed to the application as if it is coming directly from Alice. Offline Delegation -- Once an active certificate is signed by Alice, delegation may be performed at any time without further interaction from Alice. That is, Bob may use the active certificate to act on Alice's behalf even if Alice does not remain online. Pros: None received. Cons (Adam Slagell): 1. Unless mobile code carefully made, captured ACs can be used by unintended third parties. They must include who the are intended for. 2. Even if not intercepted, ACs can be chained and hence authority can be redeligated without knowledge of the original deligator. 3. TCB is an undefined acronym as far as I can tell. 4. Does not support certificate revocation without sacrificing "off-line" benefits. 5. Implication of increased certificate size was not addressed. 6. There is always the problem of running untrusted code. Denial of Service attacks likely unless they can find a way to restrict resource usage of code. 7. The creator of an AC can control what response the user sees from the resource it is trying to access. This requires more trust in the ACs creator. He/she could make a user think that they are using this AC to do something other than what the think. Cons (Vishu Gupta): -- Allowing the code of another user to execute is putting too much trust on that user (problem similar to active networks). -- Vertificate revocation is difficult to implement in active certificates. -- delegting entity cannot prevent chained delegation -- lot of computation moved to the resource -- dont know whther using the general purpose grammar is a good idea Discussion: 1. Does this system will really produce the results intended by the authors? 2. Does the use of a general purpose programming language within the active certificate truly allow file- grained control of delegation policy? Are there any policies that could not be represented (easily) with active certificates? 3. It seems as though the proxy solution would allow Alice to immediately revoke a delegation decision while active certificates are valid until they expire (not counting certificate revocation schemes). Are there any implications of this? 4. Alice cannot easily prevent Bob from redelegating her rights. Is this a problem? Do other delegation systems handle this better? (From page 4.) 5. Is the security analysis from Section 4 correct? 6. The paper points out that the system provides for weaker authentication of responses (for example, "R says A says resultA(x,y)"). The authors take the point of view that since cooperation is already implicitly present in delegation, that this is not a problem. Is this true? (From page 7.) 7. The mobile code used within an active certificate could be used to launch a Denial of Service attack against the authentication mechanism. Can this be reasonably avoided? 8. The authors describe the use of automated search mechanisms to find a chain of certificates that will allow Bob to use a Resource. This seems very useful in the context of large systems that might be found in (for example) the Microsoft view of Web Services. 9. Does this system lend itself well to JavaBean- like component technologies? 10. Does this system seem appropriate for large- scale service-based systems like Microsoft .Net? Voting: Strong Reject: 0 Weak Reject: 8 Weak Accept: 8 Strong Accept: 0