Postulates for Revocation Schemes

  • Marcos CramerEmail author
  • Giovanni Casini
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10204)


In access control frameworks with the possibility of delegating permissions and administrative rights, delegation chains can form. There are different ways to treat these delegation chains when revoking rights, which give rise to different revocation schemes. Hagström et al. [11] proposed a framework for classifying revocation schemes, in which the different revocation schemes are defined graph-theoretically. At the outset, we identify multiple problems with Hagström et al.’s definitions of the revocation schemes, which can pose security risks. This paper is centered around the question how one can systematically ensure that improved definitions of the revocation schemes do not lead to similar problems. For this we propose to apply the axiomatic method originating in social choice theory to revocation schemes. Our use of the axiomatic method resembles its use in belief revision theory. This means that we define postulates that describe the desirable behaviour of revocation schemes, study which existing revocation frameworks satisfy which postulates, and show how all defined postulates can be satisfied by defining the revocation schemes in a novel way.


Belief Revision Social Choice Theory Authorization Specification Axiomatic Method Dominance Dimension 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The work of Marcos Cramer was supported by the Fonds National de la Recherche, Luxembourg, via the INTER project Specification logics and Inference tools for verification and Enforcement of Policies. The work of Giovanni Casini has been supported by the Fonds National de la Recherche, Luxembourg, and cofunded by the Marie Curie Actions of the European Commission (FP7-COFUND) (AFR/9181001).


  1. 1.
    Aucher, G., Barker, S., Boella, G., Genovese, V., Torre, L.: Dynamics in delegation and revocation schemes: a logical approach. In: Li, Y. (ed.) DBSec 2011. LNCS, vol. 6818, pp. 90–105. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22348-8_9 CrossRefGoogle Scholar
  2. 2.
    Barker, S., Boella, G., Gabbay, D., Genovese, V.: Reasoning about delegation and revocation schemes in answer set programming. J. Logic Comput. 24(1), 89–116 (2014)Google Scholar
  3. 3.
    Bertino, E., Samarati, P., Jajodia, S.: An extended authorization model for relational databases. IEEE Trans. Knowl. Data Eng. 9(1), 85–101 (1997)CrossRefGoogle Scholar
  4. 4.
    Bertino, E., Jajodia, S., Samarati, P.: A Non-timestamped authorization model for data management systems. In: Proceedings of the 3rd ACM Conference on Computer and Communications Security, CCS 1996, pp. 169–178. ACM, New York (1996).
  5. 5.
    Chander, A., Dean, D., Mitchell, J.C.: Reconstructing trust management. J. Comput. Secur. 12, 131–164 (2004)Google Scholar
  6. 6.
    Cramer, M., Hertum, P.V., Lapauw, R., Dasseville, I., Denecker, M.: Resilient delegation revocation with precedence for predecessors is NP-complete. In: 2016 IEEE 29th Computer Security Foundations Symposium (CSF), pp. 432–442, June 2016Google Scholar
  7. 7.
    Cramer, M., Ambrossio, D.A., van Hertum, P.: A logic of trust for reasoning about delegation and revocation. In: Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, pp. 173–184 (2015).
  8. 8.
    Denecker, M.: The well-founded semantics is the principle of inductive definition. In: Dix, J., Cerro, L.F., Furbach, U. (eds.) JELIA 1998. LNCS (LNAI), vol. 1489, pp. 1–16. Springer, Heidelberg (1998). doi: 10.1007/3-540-49545-2_1 CrossRefGoogle Scholar
  9. 9.
    Fagin, R.: On an authorization mechanism. ACM Trans. Database Syst. 3(3), 10–319 (1978).
  10. 10.
    Griffiths, P.P., Wade, B.W.: An authorization mechanism for a relational database system. ACM Trans. Database Syst. 1(3), 242–255 (1976).
  11. 11.
    Hagström, Å., Jajodia, S., Parisi-Presicce, F., Wijesekera, D.: Revocations – a classification. In: Proceedings of the 14th IEEE Workshop on Computer Security Foundations, CSFW 2001, p. 44. IEEE Computer Society, Washington, DC (2001).
  12. 12.
    Li, N., Grosof, B.N., Feigenbaum, J.: Delegation logic: a logic-based approach to distributed authorization. ACM Trans. Inf. Syst. Secur. 6, 128–171 (2003)Google Scholar
  13. 13.
    Rott, H.: Change, Choice and Inference: A Study of Belief Revision and Nonmonotonic Reasoning. Oxford University Press, Oxford (2001)zbMATHGoogle Scholar
  14. 14.
    Tamassia, R., Yao, D., Winsborough, W.H.: Role-based cascaded delegation. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies (2004)Google Scholar
  15. 15.
    Yao, D., Tamassia, R.: Compact and anonymous role-based authorization chain. ACM Trans. Inf. Syst. Secur. 12, 1–27 (2009)Google Scholar
  16. 16.
    Zhang, L., Ahn, G.J., Chu, B.T.: A rule-based framework for role-based delegation and revocation. ACM Trans. Inf. Syst. Secur. 6(2), 201–231 (2003)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany 2017

Authors and Affiliations

  1. 1.University of LuxembourgLuxembourgLuxembourg

Personalised recommendations