Explicit Delegation Using Configurable Cookies
Password sharing is widely used as a means of delegating access, but it is open to abuse and relies heavily on trust in the person being delegated to. We present a protocol for delegating access to websites as a natural extension to the Pico protocol. Through this we explore the potential characteristics of delegation mechanisms and how they interact. We conclude that security for the delegator against misbehaviour of the delegatee can only be achieved with the cooperation of the entity offering the service being delegated. To achieve this in our protocol we propose configurable cookies that capture delegated permissions.
We are grateful to the European Research Council for funding this research through grant StG 307224 (Pico). We also thank the workshop attendees for comments.
- 2.Bauer, L., Cranor, L.F., Reiter, M.K., Vaniea, K.: Lessons learned from the deployment of a smartphone-based access-control system. In: Proceedings of the 3rd Symposium on Usable Privacy and Security, SOUPS 2007, pp. 64–75. ACM (2007)Google Scholar
- 3.CESG: Password guidance: simplifying your approach. CESG, CPNI, January 2016. https://www.cesg.gov.uk/guidance/password-guidance-simplifying-your-approach
- 5.Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling security requirements through ownership, permission and delegation, pp. 167–176. IEEE, August 2005Google Scholar
- 6.Jenkinson, G., Spencer, M., Warrington, C., Stajano, F.: I bought a new security token and all I got was this Lousy Phish—relay attacks on visual code authentication schemes. In: Christianson, B., Malcolm, J., Matyáš, V., Švenda, P., Stajano, F., Anderson, J. (eds.) Security Protocols 2014. LNCS, vol. 8809, pp. 197–215. Springer, Cham (2014). doi: 10.1007/978-3-319-12400-1_19 Google Scholar
- 7.Lenhart, A., Lewis, O., Rainie, L.: Teenage life online: the rise of the instant-message generation and the internets impact on friendships and family relationships, June 2001. http://www.pewinternet.org/2001/06/21/teenage-life-online/
- 8.Palfrey, J., Sacco, D.T., Boyd, D., DeBonis, L., Tatlock, J.: Enhancing child safety and online technologies, December 2008. http://cyber.law.harvard.edu/pubrelease/isttf/
- 9.Singh, S., Cabraal, A., Demosthenous, C., Astbrink, G., Furlong, M.: Password sharing: implications for security design based on social practice, p. 895904. In: CHI 2007. ACM (2007). http://doi.acm.org/10.1145/1240624.1240759