Using SPKI/SDSI for Distributed Maintenance of Attribute Release Policies in Shibboleth

Authors

Sidharth Nazareth, Dartmouth College
Sean W. Smith, Dartmouth College

Document Type

Technical Report

Publication Date

1-1-2004

Technical Report Number

TR2004-485

Abstract

The Shibboleth middleware from Internet2 provides a way for users at higher-education institutions to access remote electronic content in compliance with the inter-institutional license agreements that govern such access. To protect end-user privacy, Shibboleth permits users to construct attribute release policies that control what user credentials a given content provider can obtain. However, Shibboleth leaves unspecified how to construct these policies. To be effective, a solution needs to accommodate the typical nature of a university: a set of decentralized fiefdoms. This need argues for a public-key infrastructure (PKI) approach---since public-key cryptography does not require parties to agree on a secret beforehand, and parties distributed throughout the institution are unlikely to agree on anything. However, this need also argues against the strict hierarchical structure of traditional PKI---policy in different fiefdoms will be decided differently, and originate within the fiefdom, rather than from an overall root. This paper presents our design and prototype of a system that uses the decentralized public-key framework of SPKI/SDSI to solve this problem.

Dartmouth Digital Commons Citation

Nazareth, Sidharth and Smith, Sean W., "Using SPKI/SDSI for Distributed Maintenance of Attribute Release Policies in Shibboleth" (2004). Computer Science Technical Report TR2004-485. https://digitalcommons.dartmouth.edu/cs_tr/241