The World-Wide Web (WWW) organizes information into sets of hypertext documents, where a document comprises links to contents and to other documents, rules for the document's presentation, and rules for link-traversal. Documents and contents may be stored in different servers. We use the term node to refer to either a document or a content. We refer to a set of linked documents as a presentation tree. We assume that each presentation tree has a root document.
The use of hypertext structures requires a coordinated authorization approach. Granting access to a document may require granting access to the document's linked contents. Otherwise, a browser could not correctly present the document. Moreover, granting access to a presentation tree may imply granting access to all of the documents that compose the tree. Otherwise, a user would not be able to consult a presentation tree as intended.
Existing WWW authorization schemes are based on Access-Control List (ACL) mechanisms. A document server authorizes a client's request by comparing the client's authenticated identity against the document's ACL, granting the access if the client has an entry which comprises the requested access mode. These schemes present the following drawbacks: (i) a server needs to know its potential clients; and (ii) granting or revocation of access to a document or to a presentation tree requires the modification of the ACLs associated with several nodes. Moreover, the existing schemes do not propose any infrastructure for coordinating the administration of ACLs when the documents are stored in different servers.
2. A CAPABILITY-BASED DISTRIBUTED AUTHORIZATION MODEL
We propose an authorization model which provides authorization at the document and the presentation tree levels. The model organizes document servers into authorization domains. the domain's node servers condition access to their documents to a client's presentation of appropriate capabilities. The two principal assumptions we make are: (i) a domain comprises a global clock; and (ii) a server can authenticate its clients.
The model has two phases. In an installation phase, a security administrator associates with each document a list of capabilities that correspond to the document's outgoing links to other nodes. Moreover, the security administrator generates another list of capabilities for accessing root documents and stores it in an authorization server.
In a consultation phase, the authorization server grants clients delegated capabilities for retrieving root documents. Document servers answer a client's document request with the appropriate document and a delegated version of the document's list of capabilities. The client use these capabilities to retrieve contents and other documents.
In a group extension of the model, each document is associated with an ACL whose entries correspond to the presentation trees that include the document. The authorization server now delegates to clients a group- capability granting access to a presentation tree. To access any document belonging to the presentation tree, the client just needs to present this capability.
Both the model and the group extension take into account the two approaches for document migration on the WWW, namely, the use of redirection addresses, and the use of URL-to-URN name resolvers.
Capabilities comprise attributes which protect them against their unauthorized use, modification, and forgery. Other attributes provide different capability revocation techniques.
3. UTILITY OF THE MODEL
The capability-based authorization model simplifies the security administration of clients as only the authorization server needs to know its clients.
The model allows an easy implementation of need-to-know authorization polices. Indeed, a client only obtains the capabilities necessary to consult a presentation tree and to present the tree's documents.
Moreover, we estimate that the model can be used in contexts where the client population changes at fast rates; for example, an electronic public library where a client buys access for a certain time.
4. VALIDATION OF THE MODEL
We have implemented a prototype of the capability-based authorization model and its group extension over an existing WWW system. The prototype allowed us gave us a valuable insight into how to integrate the model and its performance expectations.