An Access-Control Calculus for Spanning Administrative Domains

Superceded by TR2000-363, available at ftp://ftp.cs.dartmouth.edu/TR/TR2000-363.ps.Z

An Access-Control Calculus

for Spanning Administrative Domains

Jon Howell∗

David Kotz

Technical Report PCS-TR99-361Department of Computer Science

Dartmouth CollegeHanover, NH 03755-3510

{jonh,dfk}@cs.dartmouth.edu

Abstract

In our quest to give users uniform access toresources unimpeded by administrative bound-aries, we discovered that we needed transitivesharing among users, with the possibility ofrestricted access along each sharing link. Toachieve that goal, we extend Lampson et al.’scalculus for access control to support restricteddelegations.

We discuss the advantages of our extension, in-cluding the simplification of constructs like ACLsand statement expiration. We also apply ourextension to model the Simple Public Key In-frastructure and make suggestions about its fu-ture development. Our extended calculus ex-poses some surprising consequences in such sys-tems that use restricted delegation.

1 Introduction

Users should be able to access resourcesuniformly, seamlessly crossing administrativeboundaries when they are not relevant to thetask the user is trying to accomplish. One ofthe most difficult aspects of achieving that goalis finding an architecture for security that spansadministrative domains. Most security architec-tures are woven into a specific system model,

∗Supported by a research grant from the USENIX As-sociation.

most of which treat a “system” as a unit ad-ministrated locally, or at best, in a hierarchy ofdomains.

In the real world, however, sharing happensacross administrative domains. In Figure 1, Al-ice has access to a resource, and wants to sharesome of her access with Bob, who further wishesto share part of his access with Charlie. Con-ventional systems, based on Access Control Lists(ACLs), make this sort of sharing very difficult.First, each remote user must appear as a princi-pal in the domain where the resource lives. Sec-ond, to implement each restriction, each user inthe chain would need to be able to modify theACL of the original resource. In this paper, wepresent a system that can model such chains ofdelegation satisfactorily, regardless of how theytraverse administrative domains, or of the factthat each user may restrict what he shares withthe next.

1.1 Background

Distributed systems that support multiple ad-ministrative domains are typically organized asa hierarchy. It is a start, but in essence, the hi-erarchy itself is still one large administrative do-main. Sharing with users outside the hierarchyhas the same problems as systems that modelonly a single administrative domain. It is un-likely that we can expect all or most users and

1

DatabaseServer

service requestreply

all

insectsobservations

field

read

perm

issi

on

computing center

university of wiggleschnauzerbushwhack institute

mom’shouse

Alice

Bob

Charlie

Merlin

Figure 1: A chain of delegation that spansadministrative boundaries. The straight arrowsrepresent actual communication, and the arcsrepresent delegations with restriction. Charlie’spermission is limited by each of the restrictionson the path of delegation between himself and thedatabase resource.

organizations to subscribe to a single adminis-trative hierarchy, especially when trust betweendistant parties requires putting trust in commonroot nodes: those nodes will have disproportion-ate power.

In the real world, users do share resourcesacross administrative boundaries. Users needto share resources to do their work, so theyfind ways to move the resources. Imagine Bobhas partial access to a resource owned by Alice.Bob may give Charlie a copy of a resource; butcopies cannot support reference semantics. SoBob might share his identity, such as by shar-ing a password. Or he may set up an “oracle”that accesses the resource in the Bob’s name, onCharlie’s behalf, for example, by putting a lo-cal link to the resource into his publicly-visibleftp or http directory. All three methods preventAlice from auditing the proxied access.

The calculus for access control described byLampson, Abadi, Burrows, Wobber, and Plotkinis an excellent start toward a system thatsolves the transitive sharing problem [LABW92,ABLP93]. (For brevity, we refer to it as Lamp-

son’s calculus.) Their system is based in a formallogic, and can express several natural securityconcepts. Delegations in their system can spanadministrative domains, since they are betweenarbitrary principals. Auditing is preserved, be-cause every access must ultimately be groundedin a chain of delegation showing the resourceowner how the object came to be shared withthe user making the present request. The cal-culus, however, has a critical limitation: restric-tion of access is based on ACLs. So even thoughusers can share resources with others freely, theycannot restrict the sharing at each link. If thesystem cannot model the needed policy, users arelikely to share without restriction for expediency,even when it is the wrong security decision.

The Simple Public Key Infrastructure (SPKI,pronounced “spooky”) is a recent Internet Ex-perimental Protocol [EFL+99]. It too facilitatessharing across administrative boundaries, but italso dispenses with ACLs in favor of allowing re-strictions along each sharing link. Unfortunately,SPKI is not presently based in a formal logic asis Lampson’s calculus; it offers only a suggestedimplementation of a decision procedure. It alsodiscards some of the expressivity of Lampson’scalculus.

1.2 Contributions

We began this work by starting with Lampson’scalculus, and extending it to include restricteddelegation. The purpose of the extension wasto inform a distributed system implementationthat supports transitive sharing. Upon learningabout SPKI, an implementation very close to theone we envisioned, we set out to use our extendedcalculus as an underpinning for SPKI, and toshow how SPKI may be extended while retainingthe confidence derived from a formal logic.

Our extension to Lampson’s calculus has threeimportant contributions. First, we support ourgoal of transitive sharing with restriction at eachlink. Second, the notion of ACLs go away, re-placed by restricted delegation. Restriction thatused to happen in an ACL is now expressed inthe first link of a delegation chain, between theresource provider and the principal that would

2

have been listed in the ACL with restricted per-mission. Third, delegation restrictions naturallymodel expirations and other time restrictions.Where Lampson’s calculus has a separate mech-anism to incorporate expirations, ours naturallyincorporates expirations directly into the centralconcept of restriction.

By extending Lampson’s calculus, we retainseveral useful features that we can then apply tocurrent work, such as SPKI. First, we retain itsformal nature, including a formal semantics thatjustifies the logic and any implementation basedon the logic. The semantics provides an intuitivemathematical basis for the consequences of thesystem, as well as promise of consistency in theresultant logic. The semantics also suggests op-portunities for consistent extensions, and warnsus away from imprudent extensions. Second, thelogic is simple. It has only four basic concepts:statements, principals, names, and restrictionsets. A complex implementation such as SPKImay be mapped into these simple concepts, en-hancing its comprehensibility. Third, we retainthe notion of general principals, including thosewith only indirect representations. For example,quoting principals allow multiplexed resources towork for multiple users while deferring access-control decisions to a central location, minimiz-ing the trusted computing base (TCB). This fea-ture helps avoid traps such as Unix set-UID-rootdaemons that end up implementing access con-trol decisions and extending the TCB.

1.3 Overview

This version of the paper begins with three sec-tions of review material. We begin with a briefintroduction to modal logic and its semantics inSection 2, followed by a review of Lampson’scalculus and its notation in Section 3, and anoverview of SPKI in Section 4. All three sec-tions are presented in a tutorial style, but noneof the work is our own. The erudite reader mayskip any or all of these sections.

In Section 5 we introduce our restricted dele-gation extensions to Lampson’s calculus, explorevariations on it and paths not chosen, and dis-cuss its advantages in more detail. In the fol-

lowing section, Section 6, we develop extensionsto the logic and semantics to support SPKI-stylelinked local namespaces.

In Section 7, we cast SPKI into our extendedcalculus, showing some of the assumptions SPKIdepends upon. Next, we explore the subtleconsequences of restricted authorization in Sec-tion 8. Our own plans for using the calculus areoutlined in Section 9. We discuss related workin Section 10, and summarize our results in Sec-tion 11. The Appendix provides proofs of claimsappearing in the paper.

2 The logic of belief

The Sicilian smiled and stared at the winegoblets. “Now a great fool,” he began,“would place the wine in his own goblet,because he would know that only anothergreat fool would reach first for what he wasgiven. I am clearly not a great fool, so Iwill clearly not reach for your wine.”

“That’s your final choice?”

“No. Because you knew I was not a greatfool, so you would know that I would neverfall for such a trick. You would count on it.So I will clearly not reach for mine either.”[Gol73, p. 157]

Modal logic is the logic of belief. One wayto reason about permissions and sharing is toreason about who believes what. We call par-ticipants in a distributed system agents, and thesymbols that represent agents in logical expres-sions principals. Principals can also representsets of agents, or one agent quoting another;these are called compound principals, and we dis-cuss them in Section 2.1. If Alice believes every-thing Bob believes (that is, Alice trusts Bob inevery matter), then if Bob believes it is good toread a given file, Alice must believe the same.In this section, we develop a model for reasoningabout logic in the presence of belief.

We begin with propositional logic. Assumethere is a set of primitive (uninterpreted, inde-pendent) statements Σ.1 For our purposes of

1Figure 4 provides a table of sets and variable notationused in this paper.

3

access control, we consider primitive statementssuch as “it is good to write to file X.” This in-terpretation turns an imperative command intoa declarative proposition. The primitive state-ments may be connected with and (∧) and not(¬) to form arbitrary formulas. The or (∨)and implies ( �

�) operators are abbreviations forlonger formulas made of ∧ and ¬.

Next we introduce a modal operatorbelieves .2 If σ is a formula and principalA represents agent Alice, Abelievesσ is aformula that can be read “Alice believes σis true.” In time, we will introduce multiplebelieves operators, one per principal. Fornow, we would like to build a model that helpsus understand which formulas A believes; thatis, for which σ do we have Abelievesσ?

To model this logic, we build a Kripke struc-ture. A Kripke structure is a tuple of setsM = 〈W, I, J〉. The members of set W representpossible worlds. The function I maps a primi-tive proposition (s) to the set of worlds whereit is true, and the function J maps a principalto a relation on worlds in W . Together, I and J

determine the truth value of every formula in ev-ery world in W ; we describe them in more detailshortly.

First, some intuition: A principal A living inworld w0 considers some other set of worlds pos-sible, and if a formula σ is true in each of thoseother worlds, then A believes the formula. Theinteresting thing about possible worlds is thatthe set of worlds A considers possible captureswhat she does not know: if a statement σ ap-pears in one possible world and ¬σ appears inanother, then A knows neither σ nor ¬σ. As faras she is concerned, σ could go either way, be-cause A cannot tell which of the possible worldsshe actually is in.

When we write M, w0 |= σ (pronounced “Mat w0 models σ”), we mean that in model M atworld w0, the formula σ is true. The mappingI tells us immediately about the truth of primi-tive propositions at different worlds, but we wishto determine the truth of arbitrary statements

2In conventional modal logic, Abelieves σ is written�Aσ.

σ, including propositional connectives and ourmodal operators (σ = Abelievesτ). We illus-trate with an example structure, shown in Fig-ure 2.

The model contains three primitive state-ments, l, b, and p. The statement l means thatour agent Alice (A) is in the produce depart-ment of a grocery store. Its negation, ¬l, meansthat Alice is in the meat department (it’s a smallstore). The b primitive means that the store’sbananas are yellow, and the p primitive meansthat the store’s pork is fresh.

Recall the three parts of a model, 〈W, I, J〉.W is the set of possible worlds; in our case,since there are three primitive statements, thereare at most eight: W = {w0, w1, . . .w7}. Iis a relation that defines which primitive state-ments are true at which worlds. In our example,I(b) = {w0, w1, w4, w5}, since the bananas areonly yellow in those four worlds. Finally, J is afunction that maps principals to relations. Be-cause we have only one principal (Alice), J hasonly one mapping, written J(A). The relationJ(A) is depicted with arrows in the diagram. Forexample, 〈w0, w1〉 ∈ J(A); that is, when the ac-tual world is w0, w1 is a world Alice considerspossible. In our example, it happens that Aliceconsiders two worlds possible from each world.

Assume for a moment that the actual world isin fact w0: Alice is in the produce department,the bananas are yellow and the pork is fresh. IfAlice were omniscient, she would consider onlyw0 possible, for that is indeed the state of things.Alice, however, is merely a shopper. She cannotsee from the produce department what is goingon in the meat department, and thus she cannottell if the pork is fresh. She must also considerpossible world w1, where the pork is spoiled. Sheknows for certain her own location, though, soshe can ignore worlds w4 · · ·w7. Because she isin the produce department and can see the ba-nanas, she can also ignore worlds w2 and w3 inwhich the bananas are green.

We have explained the two arrows emanatingfrom world w0. The other arrows in the diagram,comprising the relation J(A), communicate thesame sort of information about any other stateof affairs. For example, if the actual world were

4

0 w1

ww

ww

ww

w

76

54

32 l

b

pp

b

l

the pork is spoiledthe pork is freshthe bananas are greenthe bananas are yellowagent is in meat departmentagent is in produce department

p

p

bpb

lp

l

bl

pbl

b

p

p b

l l

l l b b p

Figure 2: A model of eight worlds (circles), illustrating the relationship between the accessibilityrelation (arrows) and the the modal operator (A believes ).

w1 (the pork is in fact spoiled), Alice considersjust the same worlds w0 and w1 possible, and forthe same reasons.

Now that you have the intuition behind theKripke structure, we can formally define whenvarious statements are true. Primitive proposi-tions are easy: the casual definition of I abovebecomes:

M, w0 |= s when w0 ∈ I(s)

This definition can be read “Statement s is trueat world w0 in model M when w0 is in the setI(s).”

What about formulas constructed from thepropositional connectives ∧ and ¬? The truth ofsome complex formula σ in a world is completelydetermined by the truth of its primitive proposi-tions, which the model defines by the mapping I .So we can formally define an extension functionE to extend the definition of I to arbitrary for-mulas. E is defined recursively starting with I ,

and extends as you would expect for the propo-sitional connectives:

E(s) = I(s)E(¬σ) = W − E(σ)

E(σ ∧ τ) = E(σ) ∩ E(τ)

Not surprisingly, ¬σ holds in exactly thoseworlds where σ does not, and σ ∧ τ holds in ex-actly those worlds where both subformulas hold.Take a look at the example structure and con-vince yourself that E(b ∧ ¬p) = {w1, w5}.

We embarked on this journey to discover whenAlice believes various statements, so we need tofind out when the model supports formulas in-cluding our modal belief operator. The naturalintuition is that Alice should believe a statementwhenever it is true in every world Alice considerspossible. To recall our example, b is true (the ba-nanas are yellow) in every world Alice considerspossible from w0, so M, w0 |= Abelievesb. Butbecause Alice considers w0 and w1 possible, she

5

considers both p and ¬p possible; and so she canbelieve neither; hence we have ¬(Abelievesp)and ¬(Abelieves¬p) at world w0. (You canthink of this situation as representing Alice’s “si-lence” on the matter of p. Even though Alice as-serts neither p nor ¬p, every formula is assigneda truth value. It is just that both Abelievespand Abelieves¬p are false.)

With this intuition, we fill out the definitionof E to mention formulas containing our modaloperator Abelieves :

E(Abelievesσ) = {w|J(A)(w) ⊆ E(σ)}

J(A)(w) denotes the set of worlds that A consid-ers possible from w.3 So when σ is true in everyone of these worlds (i.e., J(A)(w) ⊆ E(σ)), thenA believes σ (i.e. Abelievesσ).

Of course, security is not very interesting ina world with only one agent. To introduce asecond principal, we simply add a new rela-tion J(B) to our model. Now we can reasonabout what Bob believes (B believesσ), andeven about what Alice believes about what Bobbelieves (AbelievesB believesσ). (In our ex-ample, we could certainly discuss Alice’s beliefsabout her own beliefs, but for our application toaccess control, that is not very interesting.)

2.1 Compound principals

It is also possible to talk about compound prin-cipals. Lampson defines two operators on prin-cipals that can be used to make new compoundprincipals. The first is fairly easy to describe:the principal A ∧ B believes only things thatboth A and B believe. We can define a newpossible-worlds relation for the compound prin-cipal in terms of the relations for A and B. To dothis, we extend the mapping J to a new mappingR whose domain includes compound principals.Like the definition of E , R is defined recursively

3Formally, J(A)(w) = {w′|〈w,w′〉 ∈ J(A)}.

starting with J:

R(A) = J(A)∀ primitive principals A

R(A∧ B) = R(A) ∪ R(B)∀ arbitrary principals A,B

And R replaces J’s role in the definition of E :

E(Abelievesσ) = {w|R(A)(w) ⊆ E(σ)}That set union operation is surprising! What’s

going on? Recall that the more worlds an agentconsiders possible, the less the agent believes. Inour example structure, Alice could not believe pbecause she considered world w1 possible, wherep was false. Likewise, by taking the union ofthe relations for principals A and B to get therelation for the compound principal A ∧ B, weensure that the compound principal is at leastas ignorant as either of A or B. If A and Bdisagree on any statement σ, then A∧B can seeboth worlds where σ is true and worlds where itis false, so A ∧ B can have neither belief.

The second operator for forming compoundprincipals is written B|A, and pronounced “Bquoting A.” (“Quoting” may seem an odd choiceof words when talking about belief; however,when we translate our terminology into that ofLampson et al., it reads more naturally.) Thisprincipal captures B’s beliefs about A’s beliefs:(B|A)believesσ should be synonymous withB believes (Abelievesσ).

The relation for the compound principal B|Ais the composition of the relations of B and A:

R(B|A) = R(B) ◦ R(A)

What is the intuition for using composition?Suppose we have M, w0 |= B|Abelievesσ: Atworld w0, Bob (agent B) believes Alice believesσ. That means that at every world Bob consid-ers possible from w0 (R(B)(w0)), Alice believesσ. But Alice only believes σ at those worlds if σis true at every world Alice can see from thoseworlds: ⋃

w′∈R(B)(w0)

R(A)(w′)

6

The composition R(B) ◦R(A) relates w0 to justthis set. So B|Abelievesσ is true at w0 exactlywhen σ is true in every world reachable fromw0 by the composited relation given above asR(B|A).

2.1.1 The nature of principal relations

Now that we have a formal structure for dis-cussing the beliefs of principals, let us considerwhat kinds of beliefs are reasonable, and howprincipals’ beliefs should be related to one an-other’s.

Recall our example structure, where in anyworld, Alice was either ignorant (had no belief)about either the pork or ignorant about the ba-nanas. The first observation is that agents donot need to believe every true thing; statementsabout which they have neither a positive nor anegative belief represent something the agent isignorant about.

Furthermore, observe that Alice never be-lieved anything false: in every world, ifAbelievesσ, σ also held in that world. In theparlance of modal logic, we would say Alice’sbelief is actually knowledge: although she doesnot have all knowledge, everything she believesis in fact true. Why was this the case? Noticethat Alice’s possible-worlds relation is reflexive:for every world Alice’s relation includes an edgepointing back to that world. That is why Alicecannot believe anything false. If σ is not truein a given world, Alice cannot believe σ there,because the definition

M, w |= Abelievesσ iff w ∈ E(Abelievesσ)iff R(A)(w) ⊆ E(σ)

precludes it.In modeling access control in the presence

of arbitrary principals, however, we should cer-tainly expect that some principals will believe (orat least claim to believe) untrue things. So wemake no restriction of reflexivity on the relationthat defines a principal’s beliefs. Indeed, a prin-cipal may have an empty relation at a world: itmay consider no worlds possible! In that case, atthat world, the agent considers every statement

true, since every statement is true in all of thezero worlds the agent considers possible. Indeed,the agent believes false. The agent’s reasoninghas become inconsistent; other agents would bewise not to follow this agent’s beliefs.

2.1.2 Trust

Agents following one another’s beliefs is exactlyhow we model trust. If Alice establishes that shebelieves everything Bob believes, then Alice doesnot have to be present for Bob to read one of herfiles: if Bob claims that reading the file wouldbe good, Alice must agree, and the file servergrants the request. To capture this trust, we ob-serve that Alice is “less ignorant” than Bob: shebelieves everything Bob believes, and then per-haps more (on which Bob may remain silent).Therefore, from any actual world, Alice shouldconsider possible a subset of the worlds Bob con-siders possible. When R(A) ⊆ R(B), Alice sayseverything Bob says; if she says even more, it isbecause she disregards some possible world thatleaves Bob’s belief ambiguous. You should con-vince yourself that if Bob believes σ, Alice hasto believe the same thing, for she considers pos-sible only a subset of the worlds Bob considerspossible.

3 Lampson’s calculus

This section contains an introduction to Lamp-son’s calculus for access control. The reader fa-miliar with it may skip to the next section. In thepreceding section, we introduced an instance ofmodal logic: propositional logic plus some modaloperators capture the possibly ignorant, possiblyfalse beliefs of fallible principals. The semanticswe presented, based on Kripke structures, is ex-actly that used by Abadi to justify the calculusfor access control. We introduced the seman-tics first, though, because conventionally the se-mantics is the “intuitive model” of the world,and the logic is a system for discovering theo-rems (statements that are true in every model)and reasoning from premises to conclusions thatmust appear in the model.

7

To apply modal logic to access control, Lamp-son renames the operators. First, “believes”is renamed “says.” This is meant to capturethe notion that Lampson’s logic is performative:sometimes when a principal says something, thatsomething becomes true. The act of saying to afileserver that a file should be modified, giventhat the fileserver believes you, causes that fileto indeed be modified. This renaming makes thequoting operator sound more natural: B|A isBob quoting Alice. B|A sayss is meant to bea synonym for B saysA sayss. “Belief” is stilluseful intuition, however. The operator is thesame; Bob’s belief in σ can be inherited by Alicewithout Alice actually uttering σ.

A logic is a system of axioms and proof rulesthat let one reason from premises to conclusions:if the premise holds in a model, the conclusionholds as well. Lampson’s logic is sound in thatany conclusion proven in the logic holds in themodel, but it is not complete: there are state-ments that are true in every model that cannotbe proven in the logic. Abadi suggests that infact the model may be undecidable: no logic sys-tem is adequate to prove every valid statementof the model.

The logic of access control is the same (upto variations in notation) as the conventionalmodal logic system Kn. The subscript n indi-cates that there are multiple modal operators[HC96, FHMV95, page 51]. We present that sys-tem here.

First, we write � σ if a statement σ is valid inthe logic: either taken as an axiom, or provableas a theorem from other axioms and the proofrules. We prove theorems using the following:

If σ is a tautology of propositional calculus,then � σ (Axiom 1)

The axiom lets us pull in the theorems of propo-sitional calculus without explicitly mentioningthe axioms and proof rules that produce them.

� σ � σ ��τ

� τ(Rule 2)

The proof rule (modus ponens) says that if bothσ and the implication σ �

�τ are valid (provable),

then τ is provable as well. It lets us prove the-orems about formulas that include the modaloperators (says) by reasoning from premises toconclusions.

We also have the Distribution Axiom (knownin modal logic as the axiom K, from which thename of the system Kn derives):

� A says (σ ��τ) �

�(A saysσ ��A says τ)

(Axiom 3)

Intuitively it means that agents understand andbelieve all of the consequences of their beliefs.Furthermore, they believe every theorem:

∀A,� σ

� A saysσ(Rule 4)

That is, agents know all of the theorems of thelogic.

There is a subtle but important distinction be-tween implication in the metalogic (the proofrule above) and implication in the logic. Thelogical symbol � means that the premises on itsleft prove the conclusions on its right. The proofrule condition � σ means that no premises are re-quired to prove σ; that is, σ is a theorem. Whenthat is true, we may conclude � A saysσ: it isproven that A saysσ.

In contrast, the corresponding statement inthe logic (not the metalogic) does not hold. Thestatement � σ �

�A saysσ is read “it is not prov-able that σ implies A saysσ.” The premise ofthe implication is an arbitrary statement σ (un-like the theorem � σ in the proof rule); it is nottrue that principals say every true statement.They say every theorem (those statements truein every world), but not every true statement(those statements true in the actual world fromwhich the statement is being uttered).

3.1 The calculus of principals

The symbol = is an equivalence relation on prin-cipals; by A = B we mean that A and B havethe same relation and therefore the same beliefs.4

4Abadi et al. “note that A and B can have the samebeliefs without having the same possible worlds relation;however, because principals are identified by their rela-

8

(Later in the paper we also use = to denote setequality; its use should be clear from context.)

We have presented the logical tools for reason-ing about formulas of statements. Recall that wecan also combine principals into principal formu-las. For example, A ∧ B is the principal thatbelieves (says) only things that A and B agreeupon. In the logic, A ∧ B is defined in terms ofits relationship to statements:

� (A ∧ B) saysσ ≡ (A sayss) ∧ (B saysσ)(Definition 5)

Principal conjunction is associative, commu-tative, and idempotent:

� (A ∧ B) ∧ C = A ∧ (B ∧ C) (Axiom 6)� A ∧ B = B ∧ A (Axiom 7)� A ∧ A = A (Axiom 8)

Quoting (B|A) is defined as:

� (B|A) saysσ ≡ B says (A saysσ)(Definition 9)

In a sense, the quoting operator “curries” a saysoperation from the propositional formula intothe principal formula, so that one can talk abouta principal quoting another without yet mention-ing the specific statement being quoted.

Quoting is associative and distributes overconjunction in both arguments:

� (A|B)|C = A|(B|C) (Axiom 10)

� A|(B ∧ C) = (A|B) ∧ (A|C)� (A ∧ B)|C = (A|C) ∧ (B|C)

(Axiom 11)

3.2 The “speaks for” relation

A central concept of the calculus is the “speaksfor” relation (⇒), which defines a partial orderover all principals. This relation encodes the no-tion of one principal trusting another that we in-troduced in Section 2.1.2. The statement B ⇒ A

tions in the semantics, we define equality in terms of rela-tions.” This is only possible if the model has two distinctworlds in W that belong to all the same I sets; that is,the model has two separate but indistinguishable worlds.

is read “B speaks for A,” and means that when-ever B says something, A certainly agrees. For-mally, we define

� (B ⇒ A) ≡ (B = B ∧ A) (Definition 12)

Why is this the case? If A trusts B, then A sayseverything B says. So the set of things B∧A saymust be the same as the set of things B says. Itcannot be greater, by its semantic definition inSection 2.1, and it cannot be less, or else thereis something B says that A does not.

From the definition we can derive:5

� (B ⇒ A) ��((B saysσ) �

�(A saysσ))(Theorem 13)

When B ⇒ A, B is a stronger principal than A inthe sense that B can do everything A can do (bymaking A believe the appropriate performativestatement), and perhaps more.

Using the associativity of ∧ for principals, itis clear that ⇒ is a transitive relation:

� (B ⇒ A) ∧ (C ⇒ B) ��C ⇒ A

(Theorem 14)

(The ∧ in the theorem is that for statements.We would like to use a different symbol for clar-ity, but we stick with Lampson’s notation here.)Both the ∧ and | operators on principals aremonotonic with respect to ⇒:

� (A ⇒ B) ��((A∧ C) ⇒ (B ∧ C))

(Axiom 15)

� (A ⇒ B) ��((A|C) ⇒ (B|C))

� (A ⇒ B) ��((C|A) ⇒ (C|B))

(Axiom 16)

With the speaks-for relation, we can finally seewhy quoting is a useful operation. One can letC|B ⇒ A, so that C can only speak for A whenit quotes B. Without quoting, we would needa formal accounting for universal quantificationover formulas: ∀σ, C saysB saysσ �

�A saysσ.5Surprisingly, Abadi drops Definition 12 and instead

treats Theorem 13 as an axiom. Doing so precludes theo-rems with conclusions containing ⇒, since we are left withno axioms with ⇒ in the conclusion. In fact, Theorem 13requires only the weaker operator → in its premise, whichwe discuss in Section 5.1.2.

9

The semantics of ⇒ falls out fairly directly.Definition 12 requires that

M, w |= B ⇒ A

iff R(B) = R(B ∧ A) = R(B) ∪ R(A)iff R(A) ⊆ R(B)

Notice that the condition on the R relations isindependent of the world w. So the extensionfunction E is all-or-nothing for speaks-for formu-las:

E(B ⇒ A) ={

W if R(A) ⊆ R(B)∅ otherwise

(Definition 17)

3.3 Access Control Lists

The speaks-for relation, because it is transitive,lets us reason broadly about how principals’ be-liefs affect one another. In the end, however, theserver wants to convince itself that some primi-tive proposition s, perhaps to be interpreted “itis okay to change the contents of the file,” istrue. To support this, Lampson uses the con-struct A controls s to indicate that principal A’sbeliefs about s are taken to be truth. It is definedas:

A controls s ≡ ((A sayss) ��s) (Definition 18)

Now suppose B wants to write to the file thats describes, and the assumptions � B ⇒ A and� A controls s hold. Then the file server will beable to verify a proof of � s, convincing itself that“it is okay to change the contents of the file.”

Lampson encodes access control lists (ACLs)using controls assumptions:

ACL (O1) =

⎧⎨⎩

� A controls sread,

� A controls swrite,� B controls sread

⎫⎬⎭

By adjusting which principals’ assertions are be-lieved, the ACLs allow or disallow agents to ef-fect action.

3.4 Higher-level operators

The operating system that instantiates the cal-culus requires resource servers to construct and

then verify all necessary proofs [WABL94]. Wob-ber calls it a pull model: it is the servers’job to pull in necessary assumptions and proofcomponents needed to verify an agent’s access.Building such proofs, when assumptions includespeaks-for formulas with arbitrary combinationsof ∧ and | operators, takes exponential time. Tomake the decision problem tractable, Lampsondefines two high-level operators, as and for , interms of the lower-level operators. Each opera-tor is designed to reflect an idiomatic usage pat-tern of the calculus. By defining the higher-leveloperators, Lampson can restrict how the lower-level operators combine, and exploit character-istics such as associativity and idempotence. Inthe abstract, the operators can be treated as ab-breviations and replaced by their definitions, andthey do not affect the calculus. We cover themhere to demonstrate the idioms they represent.

3.5 Roles and the “ as ” operator

Lampson defines a distinguished, disjoint set ofprincipals called roles. By quoting a role, aprincipal restricts its own authority. For ex-ample, define the roles Ruser and Radmin rep-resenting a person acting as a user and as anadministrator, respectively. Suppose the ACLsin the system include A|Radmin controls s1 andA|Ruser controls s2. In her daily work, Alice maystep into her role as user by quoting Ruser; whenshe needs to perform administrative tasks, Alicecan explicitly quote Radmin to gain access to ob-jects such as s1 that mention her administrativerole. More interestingly, Alice can delegate justone of her roles to another principal by arrang-ing that B ⇒ A|Ruser. Now Bob can do anythingAlice could do as a user, but he cannot access heradministrative resources. Roles can also be usedto sandbox untrusted code. When running un-trusted software, Alice might delegate to it onlyauthority over A|Runtrusted, preventing the codefrom accessing the bulk of her resources.

The as operator stands for quoting when thequoted principal is a role. In a sense, as addsstrong typing, requiring that its right-hand ar-gument be a role. In contrast to general princi-pals, quoting is idempotent and commutative for

10

roles, and all principals automatically speak forthemselves in every role:

R|R = R ∀R ∈ Roles (Axiom 19)R′|R = R|R′ ∀R, R′ ∈ Roles (Axiom 20)

A ⇒ A as R ∀R ∈ Roles (Axiom 21)

By virtue of these special features of roles and itsstrong typing, the as operator takes on idem-potence and commutativity. This helps makeLampson’s access control problem tractable.

3.5.1 Semantics for Roles

The axioms above are not supported for generalquoting, and yet as is simply an abbreviationfor quoting. Therefore, the axioms must be jus-tified by some restriction on the possible-worldsrelations of the roles themselves. First we definea special principal 1, the identity, who believeseverything that is true and nothing that is not:

R(1)(w) = w ∀w ∈ W

In any given world, 1 considers only that worldpossible. Therefore, it only tells the truth (therelation is reflexive), and it tells the whole truth(no world has multiple arrows, so it is confusedabout nothing). The identity serves as the mosttrusted role a principal can assume. Why? Aas1is shorthand for A|1, so R(A as 1) = R(A) ◦R(1) = R(A): the identity role does not limitA’s authority at all.

All roles are principals whose relations are con-strained as follows:

R(R1) ⊆ R(1)

This means that the role relation may containsome edges 〈w, w〉 and not others, but no edgesthat take one world to another world. A role,when composed with another principal’s rela-tion, cannot expand the set of worlds the prin-cipal considers possible, only reduce it. See Fig-ure 3 for an illustration.

We are now prepared to justify the axioms forroles. The first property is idempotence. R(R1)takes each world to either itself or nowhere, socomposing R(R1) with itself should do the same.

The second property is commutativity. An ar-row appears in R(R1) ◦ R(R2) exactly when itappears in R(R1) ∩ R(R2), and ∩ is commuta-tive. Finally, A ⇒ A as R1 is automatically truewhen R1 is a role. Why? Composing R(R1) ontoR(A) cannot introduce any new worlds (since thearrows of R(R1) are all reflexive), but may elim-inate worlds (when R(R1)(w) = ∅). Hence

R(A) ◦ R(R1) ⊆ R(A)

and we conclude A ⇒ A as R1.

3.6 Delegation and the “for” operator

Besides encoding roles, quoting can be used toencode delegations to trusted principals in a re-stricted way. Here is the problem: Imagine thatboth Alice and Bob log in to machine M . Usingjust the speaks-for operator, Alice might estab-lish that M ⇒ A and Bob that M ⇒ B. Butthen when Bob (sitting at his terminal to ma-chine M) tries to read a file that only A haspermission to read, M would say the request,and the server would reason that A believed it.In this situation, the access-control system can-not help the server reason about whether the fileshould be read, since M has not provided enoughinformation.

Instead, A could require that M explicitlymention A whenever it makes requests on A’sbehalf: M |A ⇒ A. Now when M is working forB, it will be quoting B, not A, and A’s file issafe. If M were corrupt, of course, it could stillabuse the authority granted it by A. But quot-ing principals helps an honest M pass the rightinformation to resource servers for access-controldecisions.

Lampson et al. define a slightly more compli-cated concept of delegation from A to B, writtenas the compound principal B for A. The keyidea behind delegation is that both the delega-tor A and the delegate B must take some explicitaction for the delegation to take effect:

A says B|A ⇒ (B for A)B|A says B|A ⇒ (B for A)

11

◦ =

An arbitrary principalrelation R(A) . . .

. . . composed with arole relation R(R) . . .

. . . gives a new rela-tion that is always asubset of R(A).

Figure 3: Roles reduce relations they are composed with.

from which, using the definition of for in Lamp-son’s paper, we can conclude

(B|A) ⇒ (B for A)

Then A installs BforA in ACLs for any resourcesit wishes to allow B to access on its behalf.

The difference between B simply taking careto always quote A and B receiving a delegationto B for A is subtle. In both cases, A must ex-plicitly hand off authority to B. And in bothcases, B has to take some explicit action to ac-cept the delegation; in the first case, that actionis to quote A, in the second, it must also make aseparate statement accepting the delegation.

Like as, for seems to be introduced for itsspecial properties, to enable a more efficient pull-style theorem-proving implementation.

We have completed our review presentation ofthe calculus due to Lampson et al.

4 The Simple Public Key In-frastructure

The Simple Public Key Infrastructure 2.0 (SPKI,pronounced “spooky”) is an Internet Experimen-tal Protocol created by Ellison, Frantz, Lamp-son, Rivest, Thomas, and Ylonen [EFL+99]. Asits name suggests, it is designed to be a unify-ing standard for supporting public key autho-rization across the global Internet. We highlighthere some of the features of SPKI relevant to thiswork.

First, SPKI’s primary goal is to provide aserver with evidence that the holder of a givencryptographic key is ultimately authorized for arequest signed by that key. This goal contrastswith that of previous public-key infrastructuredevelopment efforts that attempted to bind keysto identities, and left authorization to be han-dled in the conventional fashion by ACLs thatmap identity to authorization.

In this section, we review the certificate se-mantics that SPKI supports, and outline the pro-cedure used to determine whether a given certifi-cate chain supports a requested operation.

4.1 Certificate semantics

To that end, SPKI defines its own certificate for-mat, as well as an internal representation of cer-tificates to which it can map other inputs, suchas PGP certificates, X.509 certificates, or locallymaintained ACL entries. Authorization resultscan be constructed from inputs providing infor-mation in one of three forms:

• 〈authorization, key〉• 〈authorization, name〉• 〈name, key〉

The first form coincides with SPKI’s designphilosophy of mapping keys directly to au-thorizations. Inputs of the latter two formsmust ultimately be combined to form a SPKI〈authorization, key〉 mapping.

12

Inputs of the first two forms are mapped intoa data structure called a 5-tuple for internal pro-cessing; inputs of the latter form are mapped intoa data structure called a 4-tuple.

A 5-tuple has the following fields:

• issuer: the public key granting the permis-sion defined by the 5-tuple

• subject: a public key or name to which thepermission is being granted

• delegation-control: a boolean value indicat-ing whether this permission may be furtherdelegated

• authorization: a set of primitive permissionsbeing granted

• validity dates: a date range limiting the va-lidity of this delegation

The intended meaning is that the issuer grantsthe subject the permission described in the au-thorization field for the duration of the validitydates. If the delegation-control bit is set, thesubject may further delegate any or all of thepermission to another subject.

The subjects in 5-tuples (and in 4-tuples,which we present shortly) may be replaced witha k-of-n threshold function. In this case, thepermission is delegated to any principal that canprove it is authorized to speak for any k of then “subordinate” subjects listed in the thresholdfunction.

The authorization fields contain primitive per-missions whose interpretation is left to the ap-plication employing the SPKI authorization en-gine. These permissions are represented using S-expressions. S-expressions encode infinitely largesets of primitive statements in a form that per-mits a compact representation of certain subsets.To a first approximation, primitives are trees,and an S-expression represents the subset ofprimitives that share a given “trunk” (our term).An S-expression contains the representation of afinite tree “trunk,” and any primitive whose treeis formed of the trunk and some subtrees de-scending from the trunk’s leaves is a member of

the subset described by the S-expression. No-tably, an S-expression can represent only a set ofprimitive symbols; never a formula made fromthe negation or conjunction of primitive sym-bols. S-expressions admit a simple intersectionalgorithm that always yields a compact represen-tation of the intersected set: the “union” of twotrunks is a new trunk that matches only primi-tive symbols that matched both input trunks.

SPKI certificates may also indicate an on-linemechanism for verifying that the issuer consid-ers a certificate still valid. Two of the checks,the certificate revocation list (CRL, a nega-tive list of revoked certificates) and the timedrevalidation (a positive list of still-valid certifi-cates), are performed by consulting a list revisedmore frequently than the original certificate be-ing checked. The one-time revalidation check isperformed by contacting a named server to verifythat the server still approves the certificate, and“represents a validity interval of zero” [EFL+99,p. 21].

Symbolic names are always interpreted rela-tive to a globally unambiguous name; in SPKI,such a name always consists of a public key. Asa consequence, the definition of a symbolic nameis never ambiguous; it is always the definitionsupplied by the key that grounds the name. TheSPKI authors contrast this situation with thatof PGP, where symbolic names reside in a globalnamespace, and their meaning depends on thebeholder and the “introducers” that the beholdertrusts.

A symbolic name ultimately is defined as oneor more keys, although a single 4-tuple may de-fine a name in terms of a chain of other namesgrounded in a key. In that case, other 4-tuplesmust participate in the reduction of the namechain to a final key. A 4-tuple has the followingfields:

• issuer: the public key defining this name inits private name space.

• name: the name being defined

• subject: a public key or name to which thename is bound.

13

• validity dates: a date range limiting the va-lidity of this delegation

When the subject is a key, a 4-tuple binds a sym-bolic name to a key; when the subject is itselfa name (always globally qualified), the 4-tuplebinds a symbolic name to another name. In thelatter case, the subject name must ultimately re-solve to some key to be used in an authorizationdecision.

The intended meaning of a 4-tuple is that theissuer defines the symbolic name, when groundedby the issuer’s key, to be equal to the key iden-tified by the subject for the duration of the va-lidity dates. It is easy to read this definitionbackwards. Note that a name definition tupledoes not give the issuer control over the sub-ject, but the subject control over any permissionelsewhere granted to the grounded name “issuer:name.” Hence a threshold subject is also mean-ingful as the subject of a 4-tuple; its use meansthat if a principal speaks for k of the n subordi-nate subjects, that principal also speaks for “is-suer: name,” and hence garners any permissiongranted to that name.

4.2 Tuple reduction

The SPKI access-control decision procedure iscalled “tuple reduction.” Once the appropriatecertificates for an access-control decision havebeen gathered and the on-line checks performed,and the certificates converted into internal tu-ples, the tuples are “reduced.” If the reductionresults in a 5-tuple granting the requested per-mission to the key that signed the request, thenthe request may be granted.

Reduction proceeds as follows. First, 4-tuplesare reduced to resolve names. 4-tuples that de-fine a name in terms of another grounded chainof names are reduced using 4-tuples that definea name in terms of a key. Eventually, 4-tuplesof the former form are reduced to 4-tuples of thelatter form. The validity date stored in the out-come of each reduction is the intersection of thevalidity dates of the 4-tuples being reduced.

Then the 〈name, key〉 bindings formed by thereduced 4-tuples are applied to resolve names

in 5-tuples back to keys, again carrying validitydates through with intersection operations. Thisoperation turns 〈authorization, name〉 5-tuplesinto 〈authorization, key〉 tuples.

At this point, each 5-tuple represents a sub-ject key (or threshold subject defined as a set ofkeys) with authorization to perform some set ofactions on behalf of the issuer key. When two5-tuples form a chain of delegation (the issuer ofthe second is the subject of the first, and the firsttuple allows further delegation), the 5-tuples arereduced to a new tuple whose subject is the sub-ject of the second tuple and whose issuer is theissuer of the first. The reduced tuple carries theintersection of the authorizations of the sourcetuples as its authorization, and the intersectionof the validity dates of the source tuples as itsvalidity dates. Finally, the reduced tuple carriesthe same delegation control bit as the second tu-ple did. Think of the delegation control bit asthe coupling on the back of a boxcar; if the firsttuple lacks it, the cars cannot couple; if the sec-ond tuple lacks it, the cars may couple, but theresulting “super-car” will also lack a rear cou-pling.

We return to SPKI in Section 7, where we ap-ply our extended calculus to model SPKI.

5 The logic and semantics of re-

stricted delegation

Having presented modal logic and the accesscontrol logic of Lampson et al. in Sections 2and 3, we are ready to extend the logic. Fig-ure 4 summarizes the symbols we use in the fol-lowing sections. In Section 5.1, we extend thespeaks-for relation with an argument restrictingthe delegation to a subset of statements. Thenin Section 6.1, we extend the logic to incorporateSPKI-style linked local names.

5.1 TheT⇒ extension to the

calculus of access control

In one paper, Lampson et al. mention in pass-ing the idea of a qualified speaks-for operator[LABW92, page 272]. In this section, we intro-

14

Set Examplemembers

Description

Σ s, t The set of primitivepropositions. Theyrepresent resources.

Σ∗ σ, τs ∧ t

The set of well-formedformulas (statements)constructed from Σ, ∧,¬, A says, and B ⇒ A

2Σ∗S, T, V The set of sets of

statements

P A, B The set of primitiveprincipals. Theyrepresent agents,including people,machines, programs, andcommunicationschannels.

P ∗ A,BA ∧ B

The set of compoundprincipals constructedfrom P , ∧, |, and ·N

N N The set of local names

Figure 4: The symbols used to represent sets inthis paper.

duce our regarding operator, which formalizesthe notion of the restricted speaks-for operator.It is written B

T⇒ A, and read “B speaks for Aregarding the set of statements in T.” T is anysubset of Σ∗. The desired meaning is that whenσ ∈ T ,

BT⇒ A �

�((B saysσ) ��(A saysσ))

The power of the regarding operator T⇒ isthat A can delegate a subset of its authority with-out modifying any ACLs. Contrast the situationwith the use of roles in Section 3.5, where to del-egate authority to a restricted subset of her re-sources, Alice had to define a role and install thatrole in the ACLs of each resource to be shared.

Restricted speaks-for is transitive:

� (C T⇒ B) ∧ (B T⇒ A) ��(C T⇒ A) (Axiom 22)

We expect the ∧ operation on principals to bemonotonic over T⇒:

� (B T⇒ A) ��(B ∧ C) T⇒ (A∧ C) (Axiom 23)

Restricted control over two principals is thesame as restricted control over their conjunct:

� C T⇒ (A∧ B) ≡ (C T⇒ A) ∧ (C T⇒ B)(Axiom 24)

Let U be the universe of all well-formed formu-las; that is, those formulas over which a modelM defines E . Restricted speaks-for degeneratesto the original speaks-for when the restriction setis the set of all statements:

� (B U⇒ A) ≡ (B ⇒ A) (Axiom 25)

If Bob speaks for Alice regarding a set of state-ments T , he surely speaks for her regarding asubset T ′ ⊆ T :

∀T ′ ⊆ T,

�(B T⇒ A) ��(B T ′⇒ A) (Axiom 26)

Using Axiom 26, a chain of delegations can becollapsed to a single delegation from the headprincipal in the chain to the tail, whose restric-tion set allows the intersection of the restrictionsets of each of the original delegations.

� (C S⇒ B) ∧ (B T⇒ A) ��(C S∩T⇒ A)

(Theorem 27)

This is not to say that C may not speak for Aregarding more statements than those in the in-tersection; we address this topic further in Sec-tion 8.

If we have two restricted delegations from Al-ice to Bob, we might expect Alice to speak forBob with respect to the union of the restrictionsets. Because of the semantics we choose for T⇒,however, this is not the case.

(B S⇒ A) ∧ (B T⇒ A) � ��B

S∪T⇒ A (Result 28)

In Section 5.1.2, we describe a relation weakerthan T⇒ for which the positive claim holds.

15

Lampson’s quoting operator on principals (|) ismonotonic in both arguments over ⇒. Quotingis still monotonic over T⇒ in its left argument:

�(B T⇒ A

)��C|B T⇒ C|A (Axiom 29)

Our semantics does not justify monotonicityin the right argument, however:(

B T⇒ A)� ��B|C T⇒ A|C (Result 30)

This result appears to limit the usefulness ofquoting. The same counterexample that showsResult 30 shows the same property for the weakerspeaks-for relation defined in Section 5.1.2; so itseems that the notion of quoting simply does notmix easily with restricted delegation.

We can, however, propagate the quoted prin-cipal through the restriction set. Let T ∗ be theclosure of T with respect to the propositional op-erators ¬ and ∧: T ⊆ T ∗, and if σ, τ ∈ T ∗, then¬σ ∈ T ∗ and σ ∧ τ ∈ T ∗. Furthermore let TCbe the closure of T with respect to the modaloperator C says: T ⊆ TC, and if σ ∈ TC, then(C saysσ) ∈ TC. Now (T ∗)C is the modal clo-sure applied to the propositional closure of someoriginal set T. With these definitions, we canshow:

�(B (T ∗)C⇒ A

)��

(B|C T⇒ A|C

)(Axiom 31)

When T = U , this axiom reduces to showingright-monotonicity for the original speaks-for re-lation. This axiom means that A’s restricted del-egation to B must explicitly include any “quotes”of C that it is willing to believe B about. Itseems awkward, but it is a useful result. Why?Because any possible-worlds semantics wherein(B T⇒ A) �

�(B|C ′ T⇒ A|C ′) for all principals C ′

must depend on every other principal relation.The introduction of malicious principals withcleverly-chosen relations into such a system caneffectively expand T until T = U .

5.1.1 Semantics of T⇒The semantic definition of T⇒ is based on the no-tion of “projecting” a model into a space where

only the statements in set T are relevant. Theidea behind this definition is that if one were totake the “quotient” of a model M with respectto the dual of T , the resulting model M would beconcerned only with statements in T . B ⇒ A inM should be equivalent to B

T⇒ A in the originalmodel. The model M is a projection of M thatonly preserves information about statements inT .

To do this, we begin by defining an equiva-lence relation ∼=T : W×W that relates two worldswhenever they agree on all statements in T :

w ∼=T w′ iff(∀σ ∈ T, w ∈ E(σ) iff w′ ∈ E(σ)

)(Definition 32)

Then we define the mapping φT : W →W that takes worlds from the original modelto equivalence classes of ∼=T . The equivalenceclasses belong to a set W = 2T ; notice thatworlds (equivalence class representatives) in M

cannot be confused with those in M .

φT (w) = φT (w′) iff w ∼=T w′ (Definition 33)

We give a construction of φT (w) in AppendixSection A.1.

Next we extend φT to the function φwT : 2W →

2W that maps a set of worlds Sw ⊆ W to a set ofequivalence class representatives in the projectedmodel:

φwT (Sw) = {w | ∃w ∈ R, w = φT (w)}

(Definition 34)

We use bar notation (w) to indicate an equiva-lence class representative (member of a world ofa projected model) as opposed to a member ofW in the original model.

We can now give our first semantic definitionof restricted delegation:

E(B T⇒ A)

=

⎧⎨⎩ W if ∀w0

(φw

T (R(A)(w0)) ⊆φw

T (R(B)(w0))

)∅ otherwise

(Definition 35)

For the justifications of several of the axiomsit is more convenient to shift the projection (φ)

16

operation to one side of the subset relation. Todo so, we define

φ+T (R) =

{〈w0, w′1〉

∣∣ ∃w1∼=T w′

1, 〈w0, w1〉 ∈ R}

(Definition 36)

Think of φ+T as a function that introduces as

many edges as it can to a relation without dis-turbing its projection under T .

We can use φ+T to give an equivalent definition

of T⇒:

E(B T⇒ A) ={

W if R(A) ⊆ φ+T (R(B))

∅ otherwise(Definition 37)

The symbolic gymnastics of moving the projec-tion to the right side of the ⊆ relation is equiva-lent to the definition in terms of φw

T , but it savesus work in Section 6. The equivalence is shownin Appendix A.2.

A casual intuition for this definition is that φT

projects from the full model M down to a modelin which worlds are only distinguished if they dif-fer with regards to the truth of statements in T .If we collapse away the accessibility arrows thatdo not say anything about what is happening inT , and A’s relation is a subset of B’s relationin the projection, then A knows everything Bknows about statements in T . This intuition isexactly what we want for restricted delegation.

What happens if we take alternative defi-nitions for restricted delegation? We exploreone tempting but undesirable alternative inAppendix A.3. Presently, in Sections 5.1.2and 5.1.3, we explore two intriguing possibilities.

5.1.2 The T→ relation

Abadi mentions a weaker version of the speaks-for operator, B → A,6 that is true exactly whenB saysσ �

�A saysσ. But A may have some dif-ferent reason than B to say σ. Semantically, A

may consider a totally different set of worlds pos-sible; it just happens that σ is still true in thoseworlds. For that reason, B → A is a weaker re-lation than B ⇒ A. The latter requires a special(subset) relationship to appear in the model.

6Personally, we pronounce it “B weakly speaks for A.”

We can define a semantics for these operators.

E(B → A) ={w

∣∣∣∣ ∀σ ∈ Σ∗,R(B)(w) ⊆ E(σ) �

�R(A)(w) ⊆ E(σ)

}

E(B T→ A) ={w

∣∣∣∣ ∀σ ∈ T,

R(B)(w) ⊆ E(σ) ��R(A)(w) ⊆ E(σ)

}

These are not particularly exciting definitions;they simply state just what the axiom says:

(B → A) = (B saysσ ��A saysσ)

It is obvious that weak restricted speaks-fordegenerates into Abadi’s unrestricted → opera-tor, since U = Σ∗:

BU→ A ≡ B → A

5.1.3 TheT� relation

Having witnessed a weaker relation →, one maywonder why Abadi et al. preferred a definition ofspeaks-for (⇒) that was stronger than it neededto be. The intuition seems to be that thestronger semantics captures the fact that A un-derstands B’s reasons for believing various state-ments. Our T⇒ is “strong” in the same sense; itdegenerates to ⇒ when T = U .

Our first attempt to build a strong speaks-forrelation, however, ended up too strong. We callthe definition below our “mighty” speaks-for:

E(BT� A) ={w

∣∣∣∣∣∀σ, R(A)(w)−⋂σ∈T

E(σ) ⊆ R(B)(w)

}

The idea here is that if a subset relationship re-stricts A to say everything B says, then permit-ting A’s relation to grow a little permits A to notsay some of the statements B says (those not inT ). The definition above preserves the desiredrelationship: if B saysσ, every world B can seehas σ true; because A can only see those worlds

17

and other worlds where σ is true, A saysσ. SoA has no “reasons” (edges to possible worlds) tonot say σ that B does not also have.

TheT� relation seemed promising because it

degenerated into ⇒ when T = U . It appears toostrong, however. For example, if T = {s,¬s},then ∩T E(s) = ∅, so any B

T� A would im-

ply B ⇒ A. The semantics are so strong thatmany interesting choices of T are not possible.

In fact, we presentT� here precisely because it

emphasizes the importance of having a satisfyingsemantics to lend intuitive meaning to the logic.We explore this issue further in Section 8.

5.1.4 Relationships between the rela-tions

Both T⇒ andT� are strictly stronger than T→:

BT⇒ A �

�BT→ A

BT→ A � �

�BT⇒ A

BT� A �

�BT→ A

BT→ A � �

�BT� A

The T⇒ relation is certainly not stronger thanT�;

it seems that it should be strictly weaker, but acorner case that prevents it from being so:

BT⇒ A � �

�BT� A

BT� A � �

�BT⇒ A

We establish each of these relationships in Ap-pendix A.5, frequently using counterexamplesto demonstrate what makes one relation weakerthan another.

We introduced the weak and mighty speaks-for relations in the interest of completeness. LikeLampson et al., we work primarily with the T⇒version of the relation.

5.1.5 Supplanting controls

Now that we have the restricted speaks-for rela-tion, we can dispense with the special controls

operator for building ACLs. Recall the spe-cial principal 1 from Section 3.5.1. Because itbelieves only truth, (1 sayss) �

�s for all state-ments s. (Check it in the semantics!) That is,we have an implicit principal that controls allstatements.

We can use the identity to replace every state-ment of the form A controls s with an equivalent

one: A{s}⇒w0 1. This statement ensures that

if A sayss, then at the actual world w0 of themodel, 1 sayss. Since the 1 relation only con-tains edges from a node to itself, this conditioncan only be satisfied by selecting an actual worldw0 where s is true.

Although this is completely equivalent to thespecial controls operator, it is more elegant inthat all access control on s is uniformly encodedin T⇒ statements. As with ACLs, the ground-level statements like A

T⇒ 1 must be stored onthe server that implements the operations in T ,because 1 is not a cryptographic key that cansign authorization certificates. In contrast toACLs, however, A can make further delegationsB

T2⇒ A that share part of A’s permission, even ifA cannot change the ACLs (ground-level state-ments). This ability to share resources throughan unlimited number of delegations, each withthe ability to restrict the delegated permissions,was our original motivation for developing thisextension to Lampson’s calculus.

5.1.6 Supplanting roles

Roles as originally defined are attractive, butthey have the significant difficulty that introduc-ing a new restricted role R2 involves finding all ofthe objects that role should be allowed to touch,and adding AasR2 to each of those ACLs. Whenone of those objects does not allow ACL modi-fications by A, it is impossible for A to expressthe desired new role. The SPKI document givesa vivid example that shows how ACL manage-ment can become unwieldy [EFL+99, p. 17].

With the speaks-for-regarding relation, A canintroduce a new role R2 for itself by allowingA as R2

T2⇒ A. In fact, roles are no longer nec-essary at all, but the as and for operator, or

18

operators like them, may still be useful for build-ing tractable implementations.

Roles, as semantically defined by Abadi et al.,can also have surprising consequences becausethey belong to a global “namespace.” Imaginethat both Alice and Bob use the role Ruser intheir ACLs. That means that the same relationR(Ruser) encodes both the way that A as Ruser

is weaker than A, and the way that B as Ruser isweaker than B.

Let us build a model for a concrete example.Our model has two worlds, ws and ws, wheres is true and s is false, respectively. Assumethat neither Alice nor Bob begin by believing s:¬A sayss and ¬B sayss. Our model must havethe relations:

〈w0, ws〉 ∈ R(A)〈w0, ws〉 ∈ R(B)

(w0 is a placeholder for whichever world is the ac-tual world.) Now assume Alice’s doppelganger(A as Ruser) sayss. To model this, we needR(A as Ruser) = R(A) ◦ R(Ruser) to includeonly worlds where s is true. We want to pre-serve ¬A says s, or else it would be the casethat (A as Ruser) ⇒ A. That means we can-not change A’s relation; so our only recourse isto use R(Ruser) to sever the edges leading to ws:

〈ws, ws〉 �∈ R(Ruser)

But because Ruser is also used by Bob, we arriveat:

ws �∈ (R(B) ◦ R(Ruser))(w0)ws �∈ R(B as Ruser)(w0)

Since B as Ruser has no edges to the world ws

where s is false, our model supports the state-ment (B as Ruser) sayss. Using a common rolehas caused unexpected crosstalk between oneprincipal and another.

5.1.7 Statement expiration

Lampson et al. treat expiration times casually in[LABW92, p. 270]: “Each premise has a lifetime,and the lifetime of the conclusion, and therefore

of the credentials, is the lifetime of the shortest-lived premise.” It is likely that a formal treat-ment of lifetimes would be time-consuming andunsurprising, but the lifetimes are an unsightlyelement glued onto an otherwise elegant logicalframework. Fortunately, the T⇒ relation allowsus to dispense with lifetimes.

Recall from Section 3.3 that the primitivestatements such as s are meant to encode someoperation in a real system. Assume that each s

describes not only an operation, but the effectivetime the operation takes place.7 The restrictionset T in a delegation B

T⇒ A can include restric-tions on the times of the operations under con-sideration. So now every delegation may remain“valid” forever. After the last point in time per-mitted by T , the delegation becomes useless; anyrequested operation bears a timestamp prevent-ing it from belonging to T . Furthermore, restric-tions on T can be more than expiration times;one can encode arbitrary temporal restrictions,such as only allowing a delegation to be valid onFriday afternoons.

6 Names

Recall from Section 5.1.6 how roles are in aglobal “namespace,” and that seems dangerous,because there can be some crosstalk between ap-plications of the same role. SPKI names arepromising, but they have the same property:identical names have different meaning depend-ing on the “scope” in which they appear. Tomodel names, we need to extend our logic andsemantics.

We introduce to the logic a new set of primitivenames, N . We also extend principal expressionsto include those of the form P ·N , where P is anarbitrary principal expression and N ∈ N . P ·Nis read “P ’s N .” Because · only accepts a prin-cipal as its left argument, there is no ambiguityin the order of operations; P · N1 · N2 can onlybe parenthesized (P · N1) · N2.

7Like Lampson et al., we ignore the issue of securelyproviding loosely synchronized clocks.

19

6.1 The logic of names

What properties do we want names to have?Local namespaces. First, a principal should

control the meaning of any names defined rela-tive to itself:

∀ principals A, names N :

(A says (B T⇒ A · N )) ��(B T⇒ A · N )

We do not take this statement as an axiom forthe same reason that Abadi and Lampson do notaccept the handoff axiom [LABW92, p. 715],[ABLP93, p. 273]. In particular, our semanticsdoes not support it. Instead, as with the handoffaxiom, we assume appropriate instances of it areassumed by the implementation.

Monotonicity. Second, name applicationshould be monotonic over speaks-for. If Alicebinds her name “barber” to Bob, and Bob bindshis name “butcher” to Charlie, then we want“Alice’s barber’s butcher” to be bound to Char-lie.

(B ⇒ A) ��(B · N ⇒ A · N )

Using this rule, we can write the following tocapture the desired intuition:

(B ⇒ A · Nbarber) ��

B · Nbutcher ⇒ A · Nbarber · Nbutcher

We take as our axiom a version of the rule gen-eralized to T⇒.

∀ principals A,B, names N,

and sets of statements T :

(B T⇒ A) ��(B · N T⇒ A · N ) (Axiom 38)

Distributivity. We combine the followingpair of results

(A∧ B) · N ⇒ (A · N ) ∧ (B ·N ) (Theorem 39)(A · N ) ∧ (B · N ) ⇒ (A∧ B) · N (Axiom 40)

to show that names distribute over principal con-junction:

(A∧ B) · N = (A · N ) ∧ (B ·N ) (Theorem 41)

Here is a motivating example: If Alice has twodoctors Ed (E) and Fred (F ), and Bob visitsdoctors Fred and George (G), then who is “(Aliceand Bob)’s doctor?” Fred is the only person whoserves as both people’s doctor.

No quoting axiom. The principal (A|B) ·Ncan be written, but we have yet to find a mean-ingful intuitive interpretation for it. (A|B) · Nbears no obvious relation to (A · N )|(B · N ), forexample. We allow the principal in our logic, butwe have no axioms for extracting quoting frominside a name application.

Nonidempotence. Finally, application ofnames should not be always idempotent. Un-less some other speaks-for statement causes it,there is no reason that “Bob’s barber’s barber”should speak for “Bob’s barber.” We first at-tempted to model name application (·) with thequoting operator (|), because quoting satisfiesAxiom 38, which led us to consider using roles tomodel names. Roles are also idempotent, how-ever, which is undesirable. Surely the principal“Alice’s barber’s barber” will not always be thesame as “Alice’s barber.”

It may be the case, though, that the applica-tion of a name can become idempotent. Take theexample in Figure 5. In this example, let thesymbol N stand for the name “barber.” The up-per solid left arrow represents an explicit state-ment made by Alice: A saysB ⇒ (A·N ); that is,Bob may serve as Alice’s barber, and do anything“Alice’s barber” is allowed to do. Similarly, theother solid left arrow represents Bob delegatingCharlie as his barber. It turns out Charlie andBob work in the same barber shop and cut eachother’s hair. The swooping solid arrow on theright represents Charlie delegating the responsi-bility of “Charlie’s barber” to Bob. So A · N is“Alice’s barber,” and is controlled by her barberBob. A ·N ·N is “Alice’s barber’s barber,” and iscontrolled by her barber’s barber Charlie. Bobalso has some control over “Alice’s barber’s bar-ber,” since he is free to change his barber fromCharlie to another.

An interesting thing happens at the next levelof name application. The literal name “Alice’sbarber’s barber’s barber,” who we know as Bob,is actually equal to “Alice’s barber’s barber.” It

20

A

A · N B

A · N ·N B ·N C

A · N · N ·N B · N · N C ·N

Figure 5: An example that shows when inherited names can become idempotent. Each arrow repre-sents a speaks-for relationship; the text explains each arrow in more detail.

is not that Bob becomes equal to Charlie, butthat ·N has become idempotent. In our case,both Charlie and Bob have control over A ·N ·N ,so any further application of ·N introduces nonew restrictions on the resulting principal. Thederived principal is equal to the parent principal.This conclusion is both intuitive, and valid in thesemantics we present next, but cannot be provenusing the logic.8

6.2 The semantics of names

We mentioned above that names and name appli-cation cannot be modeled with the roles and thequoting operator, because quoting a role is al-ways idempotent. Furthermore, using the samerole for multiple uses of the same name by differ-ent principals introduces crosstalk as describedin Section 5.1.6.

Instead, we model names as follows. First, weadd a new element to the tuple that defines amodel. A model with naming consists of:

M = 〈W, w0, I, J, K〉The new interpretation function K : P × N →2W×W maps a primitive principal A and a nameN to a set of relations R. The idea is that prin-cipals only define the first level of names in theirnamespaces; all other names are consequences ofchained first-level name definitions.

8We accept incompleteness. Abadi mentioned that

the original logic was incomplete. TheT⇒ relation cer-

tainly does not help matters, considering that complete-ness would involve introducing finite-set mathematics tothe logic.

Next we extend R to define the relations forprincipals formed through name application. Wewant to define R(A·N ) as the intersection of sev-eral other sets, each requirement ensuring a de-sired property. Our definition, however, wouldend up circular (at requirement II) if it were ex-pressed in terms of set intersection. Instead, wedefine R(A · N ) as the largest relation (subsetof 2W×W ) satisfying all of the following require-ments:

R(A · N ) ⊆φ+T (R(B · N )) (I)(∀B, T : R(A) ⊆ φ+

T (R(B)))R(A · N ) ⊆K(A, N ) (II)

(when A ∈ P )R(A · N ) ⊆R(B ·N ) ∪R(C · N ) (III)

(when A = B ∧ C)(Definition 42)

Requirement I supports Axiom 38. RequirementII applies only to primitive principals, and allowseach primitive principal to introduce definitionsfor first-level names in that principal’s names-pace. A system implementing instances of thehandoff rule would do so by modifying K(A, N ).Requirement III only applies to principal expres-sions that are conjunctions, and justifies Theo-rem 41. There is no question some such largestrelation exists; since each requirement is a subsetrelation, at least the empty set satisfies all four.

21

6.2.1 Abadi’s semantics for linked localnamespaces

Abadi gives an alternate logic and semantics forSPKI-style linked local namespaces [Aba98]. (Herefers to SDSI, from which SPKI 2.0 derives.)Ours differs in three interesting ways.

First, SPKI has special global names, so thatif NG is a global name, A · NG = NG. The re-sult is that the same syntactic construct can beused to bind a local name to another local nameor to a globally-specified name. All names inlinking statements are implicitly prefixed by thename of the speaking principal; but if the explic-itly mentioned name is global, the prefix has noconsequence. We consider this syntactic sugar,and leave it to an implementation to determinefrom explicit cues (such as a key specification ora SDSI name that ends in !!) whether a men-tioned principal should be interpreted as local tothe speaker.

Second, Abadi’s logic adopts the handoff rulefor names, which he calls the “Linking” axiomHere it is, translated to our terminology:

A says (B ⇒ (A · N )) ��(B ⇒ (A · N ))

He validates the axiom by the use of compositionto model name application, with which we alsodisagree.

Abadi’s semantics maps each unqualified nameto a single relation, and models name applica-tion as quoting (composition). The single re-lation modeling a name can introduce crosstalkbetween otherwise unconnected principals. Re-call the example from Section 5.1.6. Even whena name relation is not constrained to be a role,the same problem arises. For example, let N

represent the name “doctor.” Imagine that Bobassigns Charlie to be his doctor: C ⇒ B|N Thisis fine; Charlie should be able to do some thingson Bob’s behalf (if B|N T⇒, Charlie can do thethings in T ), but not everything. Enter Alice,who is not only omniscient (A = 1), but servesas her own doctor (A ⇒ A|N ). The model re-quires that R(1) ◦ R(N ) ⊆ R(1). At worst,R(N ) = R(identity), causing B|N = B, en-abling Charlie’s doctor to make investment de-cisions on Charlie’s behalf. At best, R(N ) ⊂

R(identity), and B|N begins spouting off ran-dom statements, some of which may be in T ,making Bob believe random statements.

Our semantics escapes this fate by assigningto each use of a name its own relation, thenensuring the correct subset relationships remainamong those relations. We must admit that oursemantics for names is at best opaque. Using anexistential definition like “largest set satisfyingthe requirements” is not illuminating. We feel itis better than the alternative, though.

7 Modeling SPKI

Lampson’s original calculus for access control isuseful because its principals are general enoughto model several parts of a computing system,from users to trusted servers to communicationschannels. Our addition of the ability to re-strict authority with any delegation provides theneeded extra power to make the calculus use-ful across administrative domains. Perhaps themost convincing evidence of this power is howwell our extended calculus can model SPKI, anaccess-control system designed to span adminis-trative domains.

Recall that the Simple Public Key Infrastruc-ture (SPKI), which we reviewed in Section 4,principally provides access control, rather thanidentity authentication. In that sense, it showsits Lampson heritage. To formally model SPKIwith our extension to Lampson’s original calcu-lus, we first give a construction that models thedelegation-control bit.

7.1 Delegation control

The SPKI document gives the motivation for in-cluding a delegation-control bit in SPKI certifi-cates. We disagree with the argument and fall infavor of no delegation control, and for the samereasons as described in the document: delega-tion control is futile, and its use tempts usersto divulge their keys or install signing oracles tosubvert the restriction. Such subversion not onlynullifies delegation control, but forfeits the ben-efits of auditability provided by requiring proofsof authorization. In spite of our opinion, we

22

present an construction that models delegationcontrol.

To model the delegation-control feature wewish to split the says modality into two separatemodalities: “utterance,” which represents a prin-cipal actually making a statement, and is neverautomatically inherited by other principals, and“belief,” which is inherited transitively just assays is. Not only is introducing a new logicalmodality clumsy, but it would require us to sup-port a questionable axiom, undermining the sim-plicity of the semantics.

Instead, we resort to an equivalent construct:we split each “real” principal A we wish to modelinto subprincipals Au and Ab. Au shall sayonly the things that A utters (statements thatare actually signed by A’s key; recall that allcertificate-issuing principals in SPKI are keys),and Ab shall say all of the things that A be-lieves. A may inherit its beliefs from other prin-cipals (because she has delegated to other sub-jects the authority to speak on her behalf), andfurthermore A should believe anything she ut-ters. This last condition replaces the clumsy ax-iom we wished to avoid; instead we enforce it bysimply assuming the following statement for allprincipals A and statements s:

� Au sayss ��Ab sayss (Assumption 43)

Certificates issued by A are statements utteredby A asserting things that A believes, so wemodel them as statements about Ab said by Au.The desirable outcome is that no principal candelegate authority to make herself utter some-thing (make Au say something); she may onlyutter the statement directly (by signing it withher key).

7.2 Restriction

Recall that a SPKI 5-tuple includes five fields:issuer, subject, delegation-control bit, authoriza-tion, and validity dates. Let I and S representthe issuer and subject principals. Let TA repre-sent the set of primitive permissions representedby the authorization S-expression, and TV theset of primitive permissions limited by the valid-ity dates (assuming the effective-time encoding

of Section 5.1.7). The 5-tuple can be representedthis way if its delegation-control bit is set:

Iu saysSbTA∩TV⇒ Ib

or this way if not:

Iu saysSuTA∩TV⇒ Ib

A 4-tuple has a name field (N ) and no autho-rization field or delegation-control bit. It wouldbe encoded:

Iu saysSbTV⇒ Ib · N

It seems natural that a delegation bit is mean-ingless for a name binding (in SPKI, a name prin-cipal can never utter a statement directly, only akey principal can). We find it curious, however,that SPKI name-binding certificates omit the au-thorization field. Why not allow a principal tosay the following?

Iu says (S1b ⇒ Ib · Nbarber)

Iu says (S2b{shampoo}⇒ Ib ·Nbarber)

In SPKI, such a refinement would require theuser represented by Iu to create a subsidiary key,bind it to Ib · Nbarber, and then make the re-stricted authorizations to the subsidiary key.

7.3 Linked local namespaces

The subject principals in the keys above may beeither keys (each directly represented by a prim-itive principal) or a string of names groundedin a key. Hence namespaces are “local” in thatnames are meaningless except relative to a glob-ally unambiguous key; namespaces are “linked”in that the naming operation may be repeated:If K1 ·N1 resolves to K2, then K1 ·N1 ·N2 is thesame as K2 · N2, perhaps defined as some K3.

We gave a logic and semantics for linked localnamespaces in Section 6. We model the SPKIname subject “george: (name fred sam)” withthe principal expression Kgeorge ·N“fred” ·N“sam”.Substituting the principal expression for Sb, a4-tuple takes on the general appearance:

Iu says ((KS ·N1 · · ·Nk)TV⇒ Ib · N0)

23

7.4 Threshold subjects

A threshold subject is a group of n principalswho are authorized by a certificate only when kof the principals agree to the requested action.Such certificates are really just an abbreviationfor a combinatorially long list (n

k) of conjunctionstatements. For example, a certificate with a 2-of-3 threshold subject naming principals P1, P2,and P3 and an issuer A can be represented as:

P1 ∧ P2 ⇒ A

P1 ∧ P3 ⇒ A

P2 ∧ P3 ⇒ A

Hence the logic easily captures threshold sub-jects, although any tractable implementationwould obviously need to work with them in theirunexpanded form.

7.5 S-expressions

S-expressions, as used in authorization fields inSPKI, merely represent sets of primitive state-ments. Therefore, we simply model them usingmathematical sets. We use the fact that neitherS-expressions nor validity date fields can repre-sent a set containing a negated primitive state-ment in our analysis in Section 8.

7.6 Tuple reduction

The SPKI access-control decision procedure iscalled “tuple reduction.” A request is granted ifit can be shown that a collection of certificatesreduce to authorize the request. The reducedtuple’s subject must be the same key that is re-sponsible for the request, the tuple’s issuer mustrepresent the server providing the requested ser-vice, and the specific request must belong to theauthorization field of the reduced tuple.

It is clear that tuple reduction is sound withrespect to our extended logic. When 5- and 4-tuples are encoded in the logic as shown in Sec-tions 7.2 and 7.3, tuple-reduction simply con-structs a proof from several applications of The-orem 27.

SPKI’s decision procedure is not completewith respect to the logic, because many state-ments in the logic simply cannot be expressed as

a SPKI certificate. For example, the issuer of aSPKI certificate cannot be a conjunct principal,and quoting principals are not used anywhere inSPKI.

7.7 Validity conditions

An optional validity condition, such as a certifi-cate revocation list, a timed revalidation list, or aone-time validation, can be encoded in the logicusing a conjunction. For example, a certificaterequiring a timed revalidation would be inter-preted

A says (B ∧ (R|H1)) ⇒ A

to mean that principal R must verify that thiscertificate (with hash H1) is valid. Principal R

signs a revalidation instrument I with a shortvalidity interval TV

R says ITV⇒ R

and a given revalidation instrument would agreewith all valid outstanding certificates:

I says 0 ⇒ I |H1

I says 0 ⇒ I |H2

...

The principal 0 has relation R(0) = ∅, so thatevery principal speaks for 0. Using the logic, wecan reason that

0 ⇒ I |H1 ⇒ R|H1

and since B ∧ 0 = B, B ⇒ A. Notice the treat-ment of a hash as a principal. In the logic, prin-cipals are general entities and can be used torepresent many objects and actors.

Negative lists (CRLs) can be handled simi-larly; an implementation examining a revocationlist would conclude I says0 ⇒ I |H1 for any H1

not present in the list.One-time revalidations are meant to be inter-

preted as having a zero validity interval. A sys-tem verifying a request s creates a nonce E, un-derstanding E says s, and sends it to the reval-idator R. R replies with a statement meant to

24

be interpreted

R saysE{s}⇒ R|H1

Now both B1 and E{s}⇒ R|H1 say s, so A sayss.

Any future request of the same sort will requireanother revalidation, for its s will have a differenteffective time.

7.8 What is not in SPKI

Conjunct principals (A ∧ B) are not first-classentities in SPKI, although they can appear asthreshold subjects. One consequence is thatSPKI does not have a rule that exploits Theo-rem 41.

Quoting principals are also missing fromSPKI; Lampson’s paper gives nice examplesshowing how quoting can help a multiplexed hostor communications channel differentiate when itis working on behalf of one client rather than an-other [LABW92, Sections 4.3, 6.1, 6.2, and 7.1].Without quoting, such a host has permission tomake statements for either client, so it mustperform an access-control check in advance ofrelaying a client’s statement. The situation isanalogous to a root POP server that duplicatesthe permissions checks of the kernel rather thanchanging its UID and letting the kernel verifythe permissions on the system call itself. Quot-ing lets the multiplexed host defer the completeaccess-control decision to the final server verify-ing the proof. The result is a smaller trustedcomputing base and improved auditability.

8 Consequences of Restriction

When CT⇒ B and B

V⇒ A, we conclude CT∩V⇒

A; this natural idea of transitive restriction ap-pears in SPKI’s access control decision procedureas well. When B

T⇒ A and BV⇒ A, though, we

conclude BT∪V⇒ A. This conclusion is certainly

true for T∪V⇒ in SPKI, for if B makes a statements ∈ T∪V , one certificate or the other allows B toprove that it is authorized on s. SPKI, however,has no notion of representing the union of re-striction sets; Certificate Result Certificates can

be used to summarize the proof of intersectedrestrictions, but not of unioned ones. This lim-itation is because SPKI’s representation of re-striction sets (each an implicit intersection of anS-expressions and a validity date range) lends it-self to intersection operations but not to unions.

The consequences of such extension operationsare worth considering. For example,

(B {σ,τ}→ A) ��(B {σ∧τ}→ A) (Axiom 44)

means that a principal believed on a set of state-ments is also believed on their conjuncts. Thisconclusion seems fairly natural, but it is interest-ing to note that a restriction set actually permitsmore statements than it represents explicitly.

If we employ our projected version of Abadi’sspeaks-for semantics, not only does

(B {σ,τ}⇒ A) ��(B {σ∧τ}⇒ A) (Axiom 45)

hold, but also:

(B {σ}⇒ A) ��(B {¬σ}⇒ A) (Axiom 46)

This result implies that given authority on a setof primitive statements, a principal also has au-thority on any propositional formula constructedfrom those statements. It is surprising, for even

if only B{s}⇒ A is explicitly granted, B can also

cause A to say the negation of s.Perhaps scarier still is that

B{σ}⇒ A �

�B{σ,¬σ}⇒ A

��B

{σ,¬σ}→ A��(B says false) �

�(A says false)

The conclusion is the definition of Abadi’s �→relation:

“Intuitively, A �→ B means that thereis something that A can do (say false)that yields an arbitrarily strong state-ment by B (in fact, false). Thus, A �→B means that A is at least as powerfulas B in practice.”

25

With these semantics, one might fear thatno restriction is actually meaningful. Howmight we escape it? One option is toabandon the K axiom (Abelievess ∧Abelieves (s �

�t) ��Abelieves t), so that

principals no longer believe every consequenceof their beliefs. This option seems undesirablebecause it cripples the logic to only operateoutside the scope of belief operators.

A second option is to both disallow negativestatements in restriction sets and to use theweaker B

T→ A relation instead of BT⇒ A to

model delegation.A third option is to prevent principals from

making contradictory statements. This is dif-ficult in general in a distributed system. Oneapproach is to prevent principals from makingnegative statements (by ignoring any such state-ments).

A conclusion is that in certain dimensions,SPKI is as strong as it can be. ChangingSPKI by allowing principals to make nega-tive statements or by allowing negative state-ments in restriction sets would push SPKI “overthe edge,” making its restrictions meaningless.Those proposing to augment SPKI or other sys-tems based on a logic such as that presented heremust be wary of this hazard.

9 Snowflake and theT⇒ relation

We are building a prototype distributed systemcalled Snowflake to learn about how to span ad-ministrative domains. In Snowflake, we are usingthe extended calculus to represent authorizationsacross administrative domains.

While the extended calculus can model SPKI,it can also model more general systems. Specifi-cally, SPKI is restricted in that every authoriza-tion delegation must occur between two crypto-graphic keys. Cryptography can be expensive,however, and within a trusted computing base,it is unnecessary. In Snowflake, communicationsbetween “kernels” (in our prototype, Java virtualmachines) use cryptographic certificates equiva-lent to SPKI certificates. Within a kernel, how-ever, there may be many principals to repre-

sent, and no reason to pay the computationalprice to represent them with cryptographic keys.Similarly, the delegations among those principalsneed not be represented with signed certificates.By leaning on the broader calculus, we can builda kernel with faster but equally sound internalaccess control that resorts to cryptography for“long-haul” communication.

10 Related Work

Neuman’s proxies are tokens that confer a re-stricted subset of a principal’s rights upon someother principal [Neu93]. Such restricted proxiescan be represented as statements of the formA saysB

T⇒ A, with T the set of restrictions.One goal of his system is to allow authorizationdecisions and accounting to be performed by aremote server. He describes how proxies can beused by object servers to delegate authorizationresponsibility to a third party. He also describesa scheme for accounting wherein proxies repre-sent checks, endorsements, and certified checks.The check proxies allow object servers to trans-fer currency from the client to account for ser-vices rendered. Regarding Lampson’s calculus,Neuman observes that “the creation of a newrole is cumbersome when delegating on the flyor when granting access to individual objects”(page 288). Our work is motivated by the samesentiment, but we remove that hindrance whileretaining the formal nature of Lampson’s frame-work.

The PolicyMaker system of Blaze et al. is aframework for services that rely on cryptography[BFL96]. PolicyMaker assertions associate anauthority structure (a set of public keys, whichwe would represent as principals) with a filterthat defines the actions the principals are al-lowed to perform (analogous to the restrictionsets of the T⇒ relation). Such assertions are either“policies” or “certificates.” The object serveroriginates the former, and trusts them uncondi-tionally. Certificates originate beyond the objectserver, and each is signed by its source, to estab-lish its validity. Filters are general programs runin a resource-bounded safe language. They have

26

access not only to the request, but to the “envi-ronment:” the current time, the name of the ap-plication, and the chain of keys and certificatesthat is being evaluated. We consider the enti-ties in PolicyMaker to be unnecessarily specific.Lampson’s calculus gives us a fundamental un-derstanding of trust relationships separate fromimplementation choices such as cryptography.

Massacci’s work on role-based access controldefines a semantics for an access-control logicvery similar to that of Lampson et al. [Mas97].It has semantic limitations that allow the use ofdecisions based on tableau methods. His appli-cation of tableau methods either provide proofof authentication or a counter model that showsthat no proof exists.

Bertino et al. offer a model for temporal ac-cess control, from expiration times to periodicauthorizations such as allowing access on Tues-days [BBFS96]. Their model allows statementspremised upon the negation of other statements,and so requires global knowledge of the systemto make decisions. This precludes its use in dis-tributed systems, particularly those that spanadministrative domains.

Gray and Syverson provide a logic for rea-soning about security in systems that requiremandatory access control [GS98]. They are con-cerned with verifying that a system meets thedefinition of “probabilistic noninterference:” aprincipal only knows what it is permitted toknow. Their logic is focused on the verificationof a single central system being accessed by a setof adversarial programs at different classificationlevels.

11 Summary

We describe an extension to the access-controlcalculus of Lampson et al. [LABW92], in whichthe new speaks-for-regarding operator T⇒ allowsa principal to share a restricted subset of its au-thority with another principal. The three mainadvantages of this extension are:

1. A principal may delegate a restricted partof its authority, even when the objects of

concern do not have ACLs writable by thedelegator. Restricted delegation shows itspower when used in chains of delegation,where each principal may pass on only asubset of its privileges to the next withoutneeding to edit ACLs or offer a restrictedsigning oracle to do so.

2. The original controls operator for specify-ing of ACLs is replaced with a collection ofT⇒ expressions in the basic calculus. Whatonce were called ACLs are now just a par-ticular case of restricted delegation: the firstdelegations in any chain. That means thatany policy that could be encoded before inACLs can now be encoded anywhere in achain of delegations, making a system muchmore flexible and manageable.

3. Time restrictions on statements, such as ex-piration times, are directly encoded in thecalculus.

The first advantage adds new expressivenessto the calculus, expressiveness that is critical tothe viability of the calculus as a security modelin a widely distributed system that spans admin-istrative domains. Because the concept of re-stricted delegation is supported in a general cal-culus that models arbitrary kinds of principals,the security model is as suitable for use both lo-cally on a single host and between hosts withno a priori administrative relationship. Systemswithout this crucial property preclude users fromcommunicating due to mechanisms that makeassumptions about the structure of administra-tive domains. Systems with this property canstill build policies reflecting desired administra-tive relationships using restricted delegation; it isjust that the mechanism of the system no longerdictates the structure of those administrative re-lationships.

We also applied the extended calculus to mod-eling SPKI and our own distributed system. Wediscussed some of the consequences exposed byour extended logic and its semantics; specifically,the fact that a logical system can present the il-lusion of restricted delegation when in fact thedelegation restricts very little or not at all. SPKI

27

narrowly escapes this fate, but related systems orproposals to extend SPKI should carefully con-sider this problem.

Acknowledgements

Thanks to John Lamping, who patiently helpedJon understand logical proof systems and se-mantic models. Thanks also Doug McIlroy, JonBredin, Valeria de Paiva, Mark Montague andLarry Gariepy for their discussions, which helpedrefine the idea. Thanks to the USENIX organi-zation for funding our research on this topic.

References

[Aba98] M. Abadi. On SDSI’s linked local namespaces. Journal of Computer Security,6(1-2):3–21, 1998.

[ABLP93] M. Abadi, M. Burrows, B. Lampson,and G. Plotkin. A calculus for accesscontrol in distributed systems. ACMTransactions on ProgrammingLanguages and Systems, 15(4):706–734,September 1993.

[BBFS96] Elisa Bertino, Claudio Bettini, ElenaFerrari, and Pierangela Samarati.Supporting periodic authorizations andtemporal reasoning in database accesscontrol. In Proceedings of 22ndInternational Conference on Very LargeData Bases, pages 472–483. MorganKaufmann, September 1996.

[BFL96] M. Blaze, J. Feigenbaum, and J. Lacy.Decentralized trust management. InProceedings of the 1996 IEEESymposium on Security and Privacy,pages 164–173, 1996.

[EFL+99] Carl M. Ellison, Bill Frantz, ButlerLampson, Ron Rivest, Brian M.Thomas, and Tatu Ylonen. SPKIcertificate theory, October 1999.Internet RFC 2693.

[FHMV95] Ronald Fagin, Joseph Y. Halpern,Yoram Moses, and Moshe Y. Vardi.Reasoning about Knowledge. MIT Press,1995.

[Gol73] William Goldman. The Princess Bride.Ballantine, 1973.

[GS98] J. W. Gray III and P. F. Syverson. Alogical approach to multilevel security ofprobabilistic systems. DistributedComputing, 11(2):73–90, 1998.

[HC96] G. E. Hughes and M. J. Cresswell. ANew Introduction to Modal Logic.Routledge, 1996.

[LABW92] Butler Lampson, Mart́ın Abadi, MichaelBurrows, and Edward Wobber.Authentication in distributed systems:theory and practice. ACM Transactionson Computer Systems, 10(4):265–310,November 1992.

[Mas97] F. Massacci. Reasoning about security:a logic and a decision method forrole-based access control. In Proceedingsof the First International JointConference on Qualitative andQuantitative Practical Reasoning(ECSQARU-FAPR), pages 421–435,1997.

[Neu93] B. Clifford Neuman. Proxy-basedauthorization and accounting fordistributed systems. In Proceedings ofthe 13th International Conference onDistributed Computing Systems(ICDCS), pages 283–291, May 1993.

[WABL94] Edward Wobber, Mart́ın Abadi, MichaelBurrows, and Butler Lampson.Authentication in the Taos operatingsystem. ACM Transactions onComputer Systems, 12(1):3–32, February1994.

A Proofs

A.1 Construction of φT

Definition Definition 33 presupposed the exis-tence of a projection function φT . We constructsuch a function now, and show that it satisfiesthe definition. Let W = 2T ; that is, worlds in Mare subsets of T . Define

φT (w) = w ∈ W

where (σ ∈ w) ≡ (w ∈ E(σ)) ∀σ ∈ T(Definition 47)

Necessity. Given φT (w) = w = φT (w′), weknow ∀σ ∈ T, σ ∈ w iff w ∈ E(σ), and likewise,

28

∀σ ∈ T, σ ∈ w iff w′ ∈ E(σ). Therefore ∀s ∈T, w ∈ E(σ) iff w′ ∈ E(σ), and we concludew ∼=T w′.

Sufficiency. From the definition of w ∼=T w′,we know ∀σ ∈ T, w ∈ E(σ) iff w′ ∈ E(σ). Letw = {σ ∈ T |w ∈ E(σ)} and w′ = {σ ∈ T |w′ ∈E(σ)}. From our hypothesis we know that theconditions on w and w′ are the same, so φT (w) =w = w′ = φT (w′).

In the following proofs, we generally use a bar(w) to indicate a member of an equivalence classconstructed as shown here.

A.2 Equivalence of φRT and φ+

T defini-

tions ofT⇒

We now justify our claim in Section 5.1.1 thatDefinition 35 and Definition 37 are equivalent.

Necessity. Assume B T⇒ A holds accordingto Definition 35:

∀w′0

(φw

T (R(A)(w′0)) ⊆ φw

T (R(B)(w′0))

)For all 〈w0, w1〉,

〈w0, w1〉 ∈ R(A) ��w1 ∈ R(A)(w0)�� w1 ∈ φw

T (R(A)(w0)),w1 = φT (w1)

��w1 ∈ φw

T (R(B)(w0))

(using the assumption)�� ∃w′

1∼=T w1,

〈w0, w′1〉 ∈ R(B)(w0)

��〈w0, w1〉 ∈ φ+

T (R(B))

Sufficiency. Assume B T⇒ A holds accordingto Definition 37:

R(A) ⊆ φ+T (R(B))

Given w0 and w1 ∈ φwT (R(A)(w0)), we know

that there is some w1 ∈ R(A)(w0), withw1 = φT (w1). We rewrite the statement〈w0, w1〉 ∈ R(A), and invoke the assumptionto get 〈w0, w1〉 ∈ φ+

T (R(B)). Now we knowthere exists 〈w0, w

′1〉 ∈ R(B) with w′

1∼=T w1.

Changing notation again, w′1 ∈ R(B)(w0). Since

w′1∼=T w1, we know w1 = φT (w′

1), and we mayconclude w1 ∈ φw

T (R(B)(w0)).Together, the two implications show the equiv-

alence.

A.3 An undesirable semantics forT⇒

Notice that φ+T projects only the destination

world of each edge in a relation. Why do wenot project both ends of the relation? Such adefinition actually does not preserve our mostbasic intuition, that B

T⇒ A ��B

T→ A. Inthe model in Figure 6, the dotted ovals depictthe equivalence classes under T ; projecting bothends of the edges in R(A) gives {〈T, ∅〉}, as doesR(B). From world w0, however, B sayss butnot A sayss.

Given a relation 〈w0, w1〉, then, the reasonwe only project w1 is this: w0 is affected bywhat statements are true at w1; substitutingother worlds equivalent with respect to T doesno harm. Substituting other worlds for w0, onthe other hand, changes what statements we con-sider true at w0.

T

t

st

st

B A

B

st

s

Figure 6: In this example, T = {s}. Notice thatB � T→ A.

A.4 Proof of soundness

In this section, we show that our extension toLampson’s calculus is still a sound axiomatiza-tion of the presented semantics. Like Lampson’soriginal logic, ours is based on a conventionalKripke semantics of modal logic. The conven-tional proofs of soundness for Axiom 1, Rule 2,

29

Axiom 3, and Rule 4 apply. Our extensions de-fine E for a new formula (B T⇒ A) and R for anew principal (A·N ), but do not perturb Abadi’soriginal semantics for the calculus for access con-trol. Because those semantics do not depend onany particular structure in E or R, the axioms ofthe calculus remain sound in our extended cal-culus.

Our present task is to show that the axioms ofour extensions are sound.

Axiom 22. This axiom follows easily fromDefinition 35. For all w0,

φwT (R(A)(w0)) ⊆ φw

T (R(B)(w0))⊆ φw

T (R(C)(w0)) �

The following lemma shows that φ+T preserves

the union operation. Let R1 and R2 be relations.

〈w0, w1〉 ∈ φ+T (R1 ∪ R2)

≡ ∃ w′1∼=T w1, 〈w0, w

′1〉 ∈ R1 ∪ R2

≡ ∃ w′1∼=T w1,

〈w0, w′1〉 ∈ R1 ∨ 〈w0, w

′1〉 ∈ R2

≡ ∃ w′1∼=T w1, 〈w0, w

′1〉 ∈ R1

∨ ∃ w′1∼=T w1, 〈w0, w

′1〉 ∈ R2

≡〈w0, w1〉 ∈ φ+T (R1) ∨ 〈w0, w1〉 ∈ φ+

T (R2)≡〈w0, w1〉 ∈ φ+

T (R1) ∪ φ+T (R2)

From this equivalence we conclude

φ+T (R1 ∪ R2) = φ+

T (R1) ∪ φ+T (R2) (Lemma 48)

Axiom 23. We assume the premise in termsof Definition 35:

∀ w′0 (φw

T (R(A)(w′0)) ⊆ φw

T (R(B)(w′0)))

We can readily reason for all w0:

φwT (R(A∧ C)(w0))

= φwT ((R(A) ∪R(C))(w0))

= φwT (R(A)(w0) ∪R(C)(w0))

= φwT (R(A)(w0)) ∪ φw

T (R(C)(w0))⊆ φw

T (R(B)) ∪ φwT (R(C))

= φwT (R(B)(w0) ∪R(C)(w0))

= φwT ((R(B) ∪R(C))(w0))

= φwT (R(B ∧ C)(w0)) �

Axiom 24. This axiom has a symmetric con-sequence, so we only show the first conjunct. Forall worlds w0,

φwT (R(A)(w0)) ⊆ φR

T ((R(A) ∪R(B))(w0))(Lemma 48)

⊆ φRT (R(C)(w0)) (premise)

�

We digress to point out that we may dis-card “identical worlds” from a model withoutloss of generality. That is, imagine we have amodel M with two worlds w1 and w2 wherew1 ∈ E(σ) iff w2 ∈ E(σ) for every formulaσ ∈ Σ∗. The extra world w2 appears in everyI(s) that w1 appears in. Any edge in any rela-tion ending in w1 has a related edge ending inw2 (〈w, w1〉 ∈ J(A) ≡ 〈w, w2〉 ∈ J(A)); likewiseedges starting at w1 have a related edge start-ing at w2 in every relation. The same holds forthe relations in the name interpretation functionK(A, N ). It is clear that the extension functionR, and hence E , have the same overlap with re-spect to w1 and w2, so that w1 ∈ E(σ) ≡ w2 ∈E(σ).

Given this definition, we can build a modelM′ = 〈W ′, w′

0, I′, J ′, K ′〉 that discards w2:

W ′ = W − {w2}

w′0 =

{w1 if w0

w0 otherwise

I ′(s) = I(s)− {w2}J ′(A) = J(A) − {〈w, w′〉|w = w2 ∨ w′ = w2}

K ′(A, N ) = K(A, N )− {〈w, w′〉|w = w2 ∨ w′ = w2}

Happily, M′ preserves every consequence of M:(M |= σ) ≡ (M′ |= σ). Why? Whenever w0 ∈E(σ), w′

0 ∈ E ′(σ), either for exactly the samereasons (when w0 �= w2), or because w0 = w2,so w0 = w2 ∈ E(σ) ≡ w1 ∈ E(σ), and thenw′

0 ∈ E ′(s) for the same reasons that w1 ∈ E(s).Convinced that duplicate worlds do not alter

the consequences of a model, we may now assumethat no models contain identical worlds, withoutdamaging our semantics. If we know w1 �= w2,we can assume the existence of a formula σ with

30

(w1 ∈ E(σ)) �≡ (w2 ∈ E(σ)), and conclude thatw1 �∼=U w2 (by Definition 32). Therefore, φU isbijective:

w1 �= w2��φU (w1) �= φU(w2)

By the definition of φ+T it is obvious that any

relation R ∈ φ+T (R). But when T = U , the con-

verse is also true:

〈w0, w1〉 ∈ φ+U (R)

��∃ w′

1 such that 〈w0, w′1〉 ∈ R,

φU (w′1) = φU (w1)

��w′

1 = w1

��〈w0, w1〉 ∈ R

Now we have φ+U (R) = R.

Axiom 25. Expanding the definition of BU⇒

A and applying the previous result gives R(A) ⊆φ+U (R(B)) = R(B), which satisfies the definition

of B ⇒ A. �Justifying axiom Axiom 26 requires two lem-

mas that relate representatives of equivalenceclasses under different projections.

First, a representative of a projection due toa small set has a “big brother” in any projec-tion due to a superset, and the structure of thebrothers is closely related:

w′1 ∈ φw

T ′(Sw), T ′ ⊆ T��∃ w1 ∈ φw

T (Sw), w′1 = w1 ∩ T ′ (Lemma 49)

Proof. By the first premise, there is a w1 ∈Sw where w′

1 = φT ′(w1). From Definition 47 weknow

(σ ∈ w′1) ≡ (w1 ∈ E(σ)) ∀ σ ∈ T ′ (1)

Let w1 = φT (w1); since w1 ∈ Sw, w1 ∈ φwT (Sw).

Having exhibited w1, we need only show w1∩T =w′

1.We again invoke Definition 47 to get

(σ ∈ w1) ≡ (w1 ∈ E(σ)) ∀ σ ∈ T (2)

First, σ ∈ w1 ∩ T ′ means both σ ∈ T ′, and be-cause T ′ ⊆ T , σ ∈ T . The latter allows us touse (2) to write w1 ∈ E(σ), and then we invoke

(1) to get σ ∈ w′1. Conversely, σ ∈ w′

1 meansσ ∈ T ′ and hence σ ∈ T . We apply (1) to getw1 ∈ E(σ), and apply (2) to get σ ∈ w1. Now wehave shown w1∩T ′ = w′

1, proving the lemma. �The second lemma is approximately the con-

verse of the first:

w1 ∈ φwT (Sw), w′

1 = w1 ∩ T ′ T ′ ⊆ T��w′

1 ∈ φwT ′(Sw) (Lemma 50)

Proof. The first premise, by Definition 34, im-plies the existence of a w1 ∈ R, and Definition47 lets us write

(σ ∈ w1) ≡ (w1 ∈ E(σ)) ∀ σ ∈ T (1)

For every σ ∈ T ′, all of the following hold:

σ ∈ T (third premise)(σ ∈ w1) ≡ (w1 ∈ E(σ)) (1)

(σ ∈ w1 ∪ T ′) ≡ (w1 ∈ E(σ))(σ ∈ w′

1) ≡ (w1 ∈ E(σ)) (second premise)

This last result implies that w′1 = φT ′(w1), which

is sufficient to prove the conclusion of the lemma.�

Axiom 26. We take as our hypothesis M |=B

T⇒ A, that is:

φwT (R(A)(w0)) ⊆ φw

T (R(B)(w0))

Given any world w0 and sets T ′ ⊆ T , we assumew′

1 ∈ φwT ′(R(A)(w0)) and set out to prove w′

1 ∈φw

T ′(R(B)(w0)). By the assumption and Lemma49, we know

∃ w1 ∈ φwT (R(A)(w0)), w′

1 = w1 ∩ T ′

The hypothesis gives w1 ∈ φwT (R(B)(w0)), which

satisfies the premise for Lemma 50. Hence weknow w′

1 ∈ φwT ′(R(B)(w0)), and we have proven

that

∀ w0, (φwT ′(R(A)(w0)) ⊆ φw

T ′(R(B)(w0))) �

Theorem 27. Apply Axiom 26 twice to thepremises to get two relations restricted by S∪T ,then apply Axiom 22 to collapse them into therelation in the conclusion. �

31

tst

st

BA

A

t

As

s

w0

In this model, A’s rela-tion at w0 is not a sub-set of B’s.

Projected under S ={s}, however, the sub-set relation holds . . .

. . . as it does underT = {t}.

Figure 7: A counterexample showing why two delegations for sets S and T do not imply a delegationfor set S ∪ T (Result 28).

Result 28. Figure 7 gives a counterexamplethat justifies the result. The diagram in the fig-ure models B

S⇒ A and BT⇒ A. The statement

BS∪T⇒ , however, fails. Projecting the model un-

der S ∪ T gives the original picture, since eachworld falls in a separate equivalence class. No-tice that B says ¬(s ∧ ¬t): that statement istrue in both worlds B considers possible. But Adoes not believe it, since A can see the lower-leftworld, where the statement is false.

Why should this result be intuitive or desir-able? Recall from Section 8 that the strengthof T⇒ means that a delegation regarding T mayimply a delegation regarding a larger set T ∗ thatincludes formulas constructed from the membersof T . In our example, B speaks for A regardingformulas composed exclusively with the primi-tive s or the primitive t, but not regarding for-mulas combining the two. The closure of therestriction set S ∪ T includes formulas such as¬(s ∧ ¬t).

Axiom 29. Assume the premise in terms ofDefinition 35:

∀ w′0 (φw

T (R(A)(w′0)) ⊆ φw

T (R(B)(w′0)))

Let w belong to φwT (R(C|A)(w0)). The semantics

for quoting gives w ∈ φwT ((R(C) ◦ R(A))(w0)).

An edge only exists in a composition if we havew1 and w2 such that 〈w0, w1〉 ∈ R(C) and〈w1, w2〉 ∈ R(A); Definition 34 guarantees thatwe have such w1, w2 with w = φT (w2).

Since w2 ∈ R(A)(w1), we can use the assump-tion to show the existence of w′

2 ∈ R(B)(w1)

with φT (w′2) = φT (w2) = w. That means that

w ∈ φwT (R(B)(w1)), and hence w ∈ φw

T ((R(C) ◦R(B))(w0)). By the definition of quoting, we ar-rive at w ∈ φw

T (R(C|B)(w0)), which proves theconclusion. �

Result 30. The model in Figure 8 is a coun-terexample for T = {s} that shows the result.Notice that B

T⇒ A: R(A)’s only edge goes fromw0 to the equivalence class of worlds where s istrue, and R(B) also has such an edge (the loopat w0). When we compose the relations, how-ever, we see that B|C says s, but not A|C sayss.The equivalence classes of {C says s} are differ-ent than the equivalence classes of {s}.

st

st

A C

B

t

Bs

C

st

0w

Figure 8: A model that demonstrates Result 30.

Axiom 31. Inductively applying Axiom 46and Axiom 45 shows as a theorem that B

T⇒ Aimplies B

T ∗⇒ A. Therefore, we may imme-diately replace the premise of this axiom with

B((T ∗)C)∗⇒ A, which follows by the theorem from

the original premise. Herein we omit the paren-

32

theses for the postfix set operators ∗ and C, andsimply write T ∗C∗.

Hence we begin with the hypothesis that

R(A) ⊆ φ+T ∗C∗(R(B))

We are given some w0 ∈ W and the existence ofw2 ∈ φw

T (R(A|C)(w0)). The set can be rewrittenφw

T ((R(A) ◦ R(C))(w0)), so we know that thereexist w1 and w2, where

〈w0, w1〉 ∈ R(A)〈w1, w2〉 ∈ R(C)

w2 = φT ∗C∗(w2)

The last expression means that for all σ ∈ T ,σ ∈ w2 if and only if w1 ∈ E(σ).

Define the formula

τ2 =∧σ∈T

{σ if σ ∈ w2

¬σ otherwise

Intuitively, τ2 is true at precisely those worldsthat map to w2 under φT . We have constructedτ2 such that w2 ∈ E(τ2).

Since 〈w1, w2〉 ∈ R(C), we know R(C) �⊆E(¬τ2), and therefore w1 �∈ E(C says¬τ2), andfinally w1 ∈ E(¬C says¬τ2). The propositionalclosure of T ensures that each conjunct of τ2, andthus τ2 itself and ¬τ2, appear in T ∗. The modalclosure over “C says” ensures that (C says¬τ2) ∈T ∗C, and therefore (¬C says¬τ2) ∈ T ∗C∗.

Now we may employ the hypothesis to showthat there exists a w′

1 ∈ R(B)(w0) withw′

1∼=T ∗C∗ w1. It follows that:

w′1 ∈ E(¬C says¬τ2)

= W − E(C says¬τ2)= W − {w|R(C)(w)⊆ E(¬τ2)}= {w|R(C)(w) �⊆ E(¬τ2)}= {w|∃w′

2 ∈ R(C)(w), w′2 �∈ E(¬τ2)}

= {w|∃w′2 ∈ R(C)(w), w′

2 ∈ E(τ2)}

That is, we know there is a w′2 ∈ E(τ2), with

〈w′1, w

′2〉 ∈ R(C).

With both 〈w0, w′1〉 ∈ R(B) and 〈w′

1, w′2〉 ∈

R(C), we have 〈w0, w′2〉 ∈ R(B)◦R(C) = R(B|C).

From the definition of τ2, we know that w′2 is

in E(σ) exactly when σ ∈ w2 for all σ ∈ T ,so w2 = φT (w′

2). We have shown that w2 ∈φw

T (R(B|C)(w0)), and therefore that given the

hypothesis, the model supports B|C T⇒ A|C. �Axiom 38. This axiom follows from our cur-

rent brute-force semantics for names. Assumethe premise in terms of Definition 37:

R(A) ⊆ φ+T (R(B))

We want to show that

R(A · N ) ⊆ φ+T (R(B · N )),

which is of course trivial thanks to requirementI of Definition 42.

Theorem 39. Requirement III of Definition42 exists to support this axiom. It says:

R(A∧ B) · N ⊆ R(A ·N ) ∪R(B ·N )

The right-hand side, by the semantics for ∧, isequal to R((A · N ) ∧ (B · N )), completing theproof.

Axiom 40. Since (A∧B) ⇒ A, (A∧B) ·N ⇒A · N (by Axiom 38, with T = U). The same istrue for B, proving:

(A∧ B) · N ⇒ (A · N ) ∧ (B · N ) �

Theorem 41. Theorem 39 and Axiom 40 to-gether show equality. �

Axiom 44. Assume R(B) ⊆ E(σ′) ��R(A) ⊆

E(σ′) for σ′ ∈ {σ, τ}. Further, assume thatR(B) ⊆ E(σ ∧ τ). Using the semantics of ∧,we can write R(B) ⊆ E(σ) ∩ E(τ), and henceR(B) ⊆ E(σ) and R(B) ⊆ E(τ). By the first as-sumption, we can replace B in both statementswith A, use the definition of ∩ and the seman-tics of ∧, and conclude that R(A) ⊆ E(σ ∧ τ),justifying the axiom. �

Axiom 45. Let T = {σ, τ} and T ′ = {σ ∧ τ}.Assume first that:

φwT (R(A)(w′

0)) ⊆ φwT (R(B)(w′

0)) ∀ w′0 ∈ W

Second, assume we are given w0 and w′1 such that

w′1 ∈ φw

T ′(R(A)(w0)). We have the existence ofa w1 ∈ R(A)(w0) with w′

1 = φT ′(w1).

33

Let w1 = φT (w1). By our first assumption,w1 ∈ φw

T (R(B)(w0)), so there is a w′1 ∈ R(B)(w0)

with w1 = φT (w′1). We claim that φT ′(w′

1) = w′1,

a claim supported by leaning on the definition ofφT :

σ ∧ τ ∈ φT ′(w′1) ≡ w′

1 ∈ E(σ ∧ τ)≡ w′

1 ∈ E(σ) ∧ w′1 ∈ E(τ)

≡ σ ∈ w1 ∧ τ ∈ w1

≡ w1 ∈ E(σ) ∧ w1 ∈ E(τ)≡ w1 ∈ E(σ ∧ τ)≡ σ ∧ τ ∈ w′

1

Since w′1 is either T = {σ ∧ τ} or ∅, we

have shown the equality, and that w′1 ∈

φwT ′(R(B)(w0)). Therefore the model supports

B{σ∧τ}⇒ A. �Axiom 46. The structure of this proof par-

allels that of Axiom 45. Let T = {σ} andT ′ = {¬σ}. Assume first that:

φwT (R(A)(w′

0)) ⊆ φwT (R(B)(w′

0)) ∀ w′0 ∈ W

Second, assume we are given w0 and w′1 such that

w′1 ∈ φw

T ′(R(A)(w0)). That implies the existenceof a w1 ∈ R(A)(w0), with w′

1 = φT ′(w1). By thedefinition of φT ′ we know w1 ∈ E(¬σ) if andonly if ¬σ ∈ w′

1. Using the semantics of ¬, wecan rewrite that expression as

w1 ∈ E(σ) iff ¬σ �∈ w′1

Define

w1 ={

T if w′1 = ∅

∅ otherwise (w′1 = T ′)

Clearly σ ∈ w1 if and only if ¬σ �∈ w′1. Now we

can write

w1 ∈ E(σ) iff σ ∈ w1

This expression satisfies the definition of φT , sowe have φT (w1) = w1. Because w1 ∈ R(A)(w0),we know w1 ∈ φw

T (R(A)(w0)).Using the first assumption, we have w1 ∈

φwT (R(B)(w0)). Using arguments analogous to

those above, we have the existence of a w′1 ∈

R(B)(w0), and by the definition of φT , we canshow that w′

1 is in φwT (R(B)(w0)) as well. The

model supports B ¬σ⇒ A. �

A.5 Relationships among the re-stricted relations

In each of the examples below, assume T = {s}.T� is not stronger than T⇒. The subset re-

lation in the projected model M of T⇒ holds withthe possible exception of the single world wT = T

that represents the equivalence class of worlds inM in which all statements in T hold. ClearlyφT takes every member of ∩σ∈T E(σ) to that rep-resentative. The counterexample illustrated inFigure 9 highlights this exception.

T⇒ is not stronger thanT�. Although just

showed thatT� is not quite stronger than T⇒,

it certainly seems almost so. Indeed, it is veryeasy to construct an example that shows that themighty relation does not follow from the basicspeaks-for-regarding relation. See Figure 10.

T⇒ implies T→. Assume R(A) ⊆ φ+T (R(B)).

We will prove by contradiction that BT→ A. To

establish a contradiction, we assume there is astatement σ ∈ T and a world w0 where B saysσ

but not A saysσ. That is, R(B)(w0) ⊆ E(σ) butR(A)(w0) �⊆ E(σ). The latter means that thereis a world w1 ∈ R(A)(w0), but w1 �∈ E(σ).

We can push 〈w0, w1〉 through our original as-sumption to find a w′

1 such that 〈w0, w′1〉 ∈ R(B)

and w′1

∼=T w1. Definition 32 tells us thatw′

1 �∈ E(σ), which means R(B)(w0) �⊆ E(σ),which contradicts our second assumption. Wemay conclude that for all w0 ∈ W and σ ∈ T ,R(B)(w0) ⊆ E(σ) implies R(A)(w0) ⊆ E(σ). �

T� implies T→. We assume

R(A)(w0)−⋂τ∈T

E(τ) ⊆ R(B)(w0)

and that R(B)(w0) ⊆ E(σ). From the first as-sumption, any world w1 ∈ R(A)(w0) is either inE(σ) (let τ = σ) or in R(B)(w0). The formercase trivially guarantees w1 ∈ E(σ), and the lat-ter case does so by the second assumption. Weconclude that R(A)(w0) ⊆ E(σ). �

T→ is weaker than T⇒ and T→ is weaker

thanT�. See Figure 11 for counterexamples that

illustrate these relationships.

34

A

st

st

st

st

Bw

The set ∩s∈T E(s) is the left pair of worlds (where s istrue); the only edge belonging to R(A) terminatesin one of those worlds. Therefore, in this model,R(A)(w) − ∩s∈T E(s) ⊆ R(B)(w), and we conclude

that BT� A.

s

BA

s

w

The mapping φT that reduces the worlds above toequivalence classes modulo statements in T will makethis model M′. φR

T (R(A)) includes an edge to theequivalence class labeled s, but φR

T (R(B)(w)) does

not. Therefore, B � T⇒ A.

Figure 9: A counterexample that shows BT� A does not imply B

T⇒ A.

B

st

st

st

st

Aw

Here is a model in which from w, A considers possible

a world neither in R(B)(w) nor ∩s∈T E(s). So B � T� A.

A

ssB

w Projecting the model onto T , however, shows thatφR

T (R(A)) and φRT (R(B)) completely agree on matters

related to s; that is, BT⇒ A.

Figure 10: A counterexample that shows BT⇒ A does not imply B

T� A.

35

s s

BA

w (a)

The statement (R(B)(w) ⊆ E(s)) ��(R(A)(w) ⊆

E(s)) has a false premise, making it vacuously truein this model. Hence this model satisfies B

T→ A.The model is its own projection onto T , however,and it is clear that B � T⇒ A.

A

st

st

st

st

Bw

(b) This model satisfies BT→ A for the same reason as

the model in part (a). The single edge terminatingat R(A)(w), however, is in neither R(B)(w) nor

∩s∈T E(s), so B � T� A.

Figure 11: Examples that show why the relation T→ is weaker than T⇒ andT�.

36

An Access-Control Calculus for Spanning Administrative Domains

Documents

Transcript of An Access-Control Calculus for Spanning Administrative Domains