Date of Award
Department of Computer Science
Sean W. Smith
Delegation is the process wherein an entity Alice designates an entity Bob to speak on her behalf. In password-based security systems, delegation is easy: Alice gives Bob her password. This is a useful feature, and is used often in the real world. But it's also problematic. When Alice shares her password, she must delegate all her permissions, but she may wish to delegate a limited set. Also, as we move towards PKI-based systems, secret-sharing becomes impractical. This thesis explores one solution to these problems. We use proxy certificates in a non-standard way so that user Alice can delegate a subset of her privileges to user Bob in a secure, decentralized way for web applications. We identify how delegation changes the semantics of access control, then build a system to demonstrate these possibilities in action. An extension on top of Mozilla's Firefox web browser allows a user to create and use proxy certificates for delegation, and a module on top of the Apache web server accepts multiple chains of these certificates. This is done in a modified SSL session that should not break current SSL implementations.
Santos, Nicholas J., "Limited Delegation (Without Sharing Secrets) in Web Applications" (2006). Dartmouth College Undergraduate Theses. 48.