Previous section.

Common Security: CDSA and CSSM, Version 2
Copyright © 1999 The Open Group

Authorization Computation Modules


An application or service that protects resources through controlled access is typically faced with a request of the form:

"I am subject S. Do X to or with resource R for me."

The service provider needs to answer two questions before performing this action:

  1. Is this subject S?

  2. Is S allowed to do X?

The first is called authentication. The second is called authorization.

An Authorization Computation (AC) Service Provider answers the authorization question. The service provider does not perform the operation. The AC module defines a small number of interfaces to request authorization evaluations.

Authorization decisions are based on local truths, not universal truth. Local truths are the assumptions defined as valid within the local environment. Each assumption is formalized and represented in an Access Control List (ACL) structure. An ACL is a list of subjects allowed to have some particular access to some resource. The subjects can be represented by names, public cryptographic keys, or other authenticateable values. A requester presents an exhibit corresponding to the subject of an ACL. The exhibit can be matched with the subject of the ACL, which grants rights to the subject. Certificates, exhibits, other forms of credentials, and ACLs (which are non-signed credentials) can all be involved in the authorization decision. The CDSA AC Module defines a set of data structures representing these abstractions.

Granted authorizations can be carried in certificates. When making a request, a caller presents certificates and other samples or exhibits demonstrating that the caller is the "owner" of the empowered certificates.

Authorization evaluation is a two step process:

The reduction process uses the caller-provided certificates to convert exhibits to the list of operations authorized by those certificates and exhibits. The intersection step compares the reduction results with the ACL entries.

Authorization intersection is a rigidly-defined operation. Consider two authorizations X and Y. The authorizations X and Y are non-empty lists. The first element is a byte string, called the name or type of the list. Suppose that X is an authorization derived from the reduction process applied to the caller's credentials and exhibits. Suppose that Y is a basic authorization contained in an ACL entry (that is, it is a local assumption). Authorization is evaluated by computing the intersection of two lists. The intersection is computed by pairwise-intersecting each element in the list. List elements can be either byte strings or non-empty sublists:

If two lists are of different length but intersect in a non-null set of common elements, then the intersection includes all the elements of the longer list. If the intersection of X and Y is empty, then X and Y can not be reduced. This means that the caller's authenticated authorizations, represented by X do not match the local requirement and assumptions define by Y. In this case, the authorization evaluation result is negative. If the intersection in non-empty, then the caller is authorize to perform the operations granted by entry Y of the ACL.

Authorization Computation Services API

The CSSM AC-API defines 2 categories of API calls:

Authorization Evaluation Services
The CDSA AC interfaces define a set of abstract data structures for representing ACLs and exhibits. AC service providers also use certificate structures defined by CDSA Trust Policy Modules and CDSA Certificate Library Modules. Different AC modules can support different aspects of the ACL and exhibit abstraction. For example, some service providers support nested exhibits; others may not support these. Most evaluations result in the answer "yes" or "no". Some service providers can return intermediate evaluation results. Intermediate results are the set of ACL entries that are satisfied by a set of certificates and exhibits. These ACL entries represent the complete set of operations authorized to the owner of the certificates and exhibits.
Provider-specific Services
An AC module can provide additional services via the AC_PassThrough() function.
Click here to return to the publication details.

Contents Next section Index