Adding Support to XACML for Dynamic Delegation of Authority in Multiple Domains

  • David W Chadwick
  • Sassa Otenko
  • Tuan Anh Nguyen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4237)


In this paper we describe how we have added support for dynamic delegation of authority that is enacted via the issuing of credentials from one user to another, to the XACML model for authorisation decision making. Initially we present the problems and requirements that such a model demands, considering that multiple domains will typically be involved. We then describe our architected solution based on the XACML conceptual and data flow models. We also present at a conceptual level the policy elements that are necessary to support this model of dynamic delegation of authority. Given that these policy elements are significantly different to those of the existing XACML policy, we propose a new conceptual entity called the Credential Validation Service (CVS), to work alongside the XACML PDP in the authorisation decision making. Finally we present an overview of our first specification of such a policy and its implementation in the corresponding CVS.


XACML Delegation of Authority Credentials Attributes Policies PDP 


  1. 1.
  2. 2.
    OASIS. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0 (January 15, 2005)Google Scholar
  3. 3.
    ISO 9594-8/ITU-T Rec. X.509, The Directory: Public-key and attribute certificate frameworks (2001)Google Scholar
  4. 4.
    Cantor, S.: Shibboleth Architecture, Protocols and Profiles, Working Draft 02 (September 22, 2004), see:
  5. 5.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST Standard for Role-Based Access Control. ACM Transactions on Information and System Security 4(3), 224–274 (2001)CrossRefGoogle Scholar
  6. 6.
    Internet2 Middleware Architecture Committee for Education, Directory Working Group (MACE-Dir) EduPerson Specification (200312) (December 2003), available from:
  7. 7.
    C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, T. Ylonen. “SPKI Certificate Theory”. RFC 2693 (September 1999) Google Scholar
  8. 8.
    OASIS eXtensible Access Control Markup Language (XACML) v2.0 (December 6, 2004), available from:
  9. 9.
    Bandmann, O., Dam, M., Sadighi Firozabadi, B.: Constrained delegation. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, May 2002, pp. 131–140. IEEE Computer Society Press, Los Alamitos (2002)Google Scholar
  10. 10.
    Madsen, P.: WS-Trust: Interoperable Security for Web Services (June 2003), available from:
  11. 11.
    Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First experiences using XACML for access control in distributed systems. In: Proceedings of the 2003 ACM workshop on XML security, Fairfax, Virginia (October 31-31 2003)Google Scholar
  12. 12.
    Hommel, W.: Using XACML for Privacy Control in SAML-Based Identity Federations. In: Dittmann, J., Katzenbeisser, S., Uhl, A. (eds.) CMS 2005. LNCS, vol. 3677, pp. 160–169. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Alfieri R., et al.: VOMS: an authorization system for virtual organizations, 1st European across grids conference, Santiago de Compostela (February 13-14, 2003), available from:
  14. 14.
    Barton, T., Basney, J., Freeman, T., Scavo, T., Siebenlist, F., Welch, V., Ananthakrishnan, R., Baker, B., Keahey, K.: Identity Federation and Attributebased Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy. In: To be presented at NIST PKI Workshop (April 2006)Google Scholar
  15. 15.
    Clarke, D., Elien, J.-E., Ellison, C., Fredette, M., Morcos, A., Rivest, R.L.: Certificate chain discovery in SPKI/SDSI. Journal of Computer Security 9(4), 285–322 (2001)CrossRefGoogle Scholar
  16. 16.
    Elley, Y., Anderson, A., Hanna, S., Mullan, S., Perlman, R., Proctor, S.: Building certificate paths: Forward vs. reverse. In: Proceedings of the 2001 Network and Distributed System Security Symposium (NDSS 2001), pp. 153–160. Internet Society (February 2001)Google Scholar
  17. 17.
    Li, N., Winsborough, W.H., Mitchell, J.C.: Distributed credential chain discovery in trust management. Journal of Computer Security 11, 35–86 (2003)CrossRefGoogle Scholar
  18. 18.
    XACML v3.0 administration policy Working Draft 05 (December 2005),
  19. 19.
    Housley, R., Ford, W., Polk, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 3280 (April 2002)Google Scholar
  20. 20.
    Chadwick, D.: Authorisation using Attributes from Multiple Authorities. In: Proceedings of WET-ICE 2006, Manchester, UK (June 2006)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2006

Authors and Affiliations

  • David W Chadwick
    • 1
  • Sassa Otenko
    • 1
  • Tuan Anh Nguyen
    • 1
  1. 1.Computing LaboratoryUniversity of KentCanterbury, Kent

Personalised recommendations