In this paper we describe extensions to the access control industry standards XACML and SAML to enable privacy-preserving and credential-based access control. Rather than assuming that an enforcement point knows all the requester's attributes, our extensions allow the requester to learn which attributes have to be revealed and which conditions must be satisfied, thereby enabling to leverage the advantages of privacy-preserving technologies such as anonymous credentials. Moreover, our extensions follow a credential-based approach, i.e., attributes are regarded as being bundled together in credentials, and the policy can refer to attributes within specific credentials. In addition to defining language extensions, we also show how the XACML architecture and model of evaluating policies can be adapted to the credential-based setting, and we discuss the problems that such extensions entail.
Enabling privacy-preserving credential-based access control with XACML and SAML / C.A. Ardagna, S. De Capitani di Vimercati, G. Neven, S. Paraboschi, F.-S. Preiss, P. Samarati, M. Verdicchio - In: Proceedings : the 10th IEEE international conference on computer and information Technology (CIT-2010), the 7th IEEE international conference on embedded software and systems (ICESS-2010), the 10th IEEE international conference on scalable computing and communications (SCALCCOM-2010) : 29 june - 1 july 2010, Bradford, West Yorkshire, UKLos Alamitos : Institute of electrical and electronics engineers, 2010. - ISBN 9781424475476. - pp. 1090-1095 (( Intervento presentato al 10. convegno IEEE International Conference on Computer and Information Technology (CIT) tenutosi a Bradford, UK nel 2010 [10.1109/CIT.2010.199].
Enabling privacy-preserving credential-based access control with XACML and SAML
C.A. ArdagnaPrimo
;S. De Capitani di VimercatiSecondo
;P. SamaratiPenultimo
;
2010
Abstract
In this paper we describe extensions to the access control industry standards XACML and SAML to enable privacy-preserving and credential-based access control. Rather than assuming that an enforcement point knows all the requester's attributes, our extensions allow the requester to learn which attributes have to be revealed and which conditions must be satisfied, thereby enabling to leverage the advantages of privacy-preserving technologies such as anonymous credentials. Moreover, our extensions follow a credential-based approach, i.e., attributes are regarded as being bundled together in credentials, and the policy can refer to attributes within specific credentials. In addition to defining language extensions, we also show how the XACML architecture and model of evaluating policies can be adapted to the credential-based setting, and we discuss the problems that such extensions entail.
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
