Delegation, whereby an entity gives some of its rights to other entities, is considered the cornerstone of decentralized authorization, and many access control frameworks proposed recently make delegation its central tenet. In these frameworks, delegation is commonly viewed as a transfer between two autonomous agents---the grantor and the grantee. But the situation can be considerably more complex, and more challenging, in the case the grantor belongs to an organization. Generally, employees are not autonomous agents, but their actions are subject to the regulations of their enterprise. In particular, if an employee transfers his rights to another agent, this transfer is subject to the enterprise delegation policies.In delegation frameworks, authorizing a request requires finding a valid chain of credentials that delegates the authority from the source (the local policy of the entity that serves the request) to the requester. Unfortunately, chain discovery is a computationally expensive and time consuming task. It was shown that, in the general case, chain discovery is undecidable, and in more restrictive cases, it is polynomial in the number of credentials available to the server. Verifying compliance with the terms of a delegation policy adds a considerable overhead to request authorization.This paper presents a framework that considerably reduces the time required to authorize a request. In this framework, a delegation chain is condensed into a single credential, called chained delegation certificate (CDC). A CDC attests that the owner has a certain right, and serves as proof that every link in the chain complies with the policy governing delegation of the right in question. When CDCs are used for authorization, a server does not need to verify compliance with the delegation policy, nor does it need to perform the chain discovery step, and therefore requests are served considerably faster.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Tuomas Aura, Distributed access-rights management with delegation certificates, Secure Internet programming: security issues for mobile and distributed objects, Springer-Verlag, London, 2001
	2	Jean Bacon , Ken Moody , Walt Yao, A model of OASIS role-based access control and its support for active security, ACM Transactions on Information and System Security (TISSEC), v.5 n.4, p.492-540, November 2002  [doi>10.1145/581271.581276]
	3	Olav Bandmann , Babak Sadighi Firozabadi , Mads Dam, Constrained Delegation, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.131, May 12-15, 2002
	4	Matt Blaze , Joan Feigenbaum , John Ioannidis , Angelos D. Keromytis, The role of trust management in distributed systems security, Secure Internet programming: security issues for mobile and distributed objects, Springer-Verlag, London, 2001
	5	Matt Blaze , Joan Feigenbaum , Angelos D. Keromytis, KeyNote: Trust Management for Public-Key Infrastructures (Position Paper), Proceedings of the 6th International Workshop on Security Protocols, p.59-63, April 15-17, 1998
	6	Matt Blaze , Joan Feigenbaum , Jack Lacy, Decentralized Trust Management, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.164, May 06-08, 1996
	7	Matt Blaze , Joan Feigenbaum , Martin Strauss, Compliance Checking in the PolicyMaker Trust Management System, Proceedings of the Second International Conference on Financial Cryptography, p.254-274, February 23-25, 1998
	8	Dwaine Clarke , Jean-Emile Elien , Carl Ellison , Matt Fredette , Alexander Morcos , Ronald L. Rivest, Certificate chain discovery in SPKI?SDSI, Journal of Computer Security, v.9 n.4, p.285-322, January 2001
	9	John DeTreville, Binder, a Logic-Based Security Language, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.105, May 12-15, 2002
	10	R. J. Hayton, J. M. Bacon, and K. Moody. Access control in an open distributed environment. In Proceedings of the IEEE Symposium on Security and Privacy, 1998.
	11	Sotiris Ioannidis , Angelos D. Keromytis , Steve M. Bellovin , Jonathan M. Smith, Implementing a distributed firewall, Proceedings of the 7th ACM conference on Computer and communications security, p.190-199, November 01-04, 2000, Athens, Greece  [doi>10.1145/352600.353052]
	12	Yki Kortesniemi, SPKI Performance and Certificate Chain Reduction, Informatik bewegt: Informatik 2002 - 32. Jahrestagung der Gesellschaft für Informatik e.v. (GI), p.449-454, September 30-October 03, 2002
	13	Ninghui Li , Benjamin N. Grosof , Joan Feigenbaum, Delegation logic: A logic-based approach to distributed authorization, ACM Transactions on Information and System Security (TISSEC), v.6 n.1, p.128-171, February 2003  [doi>10.1145/605434.605438]
	14	Ninghui Li , John C. Mitchell , William H. Winsborough, Design of a Role-Based Trust-Management Framework, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.114, May 12-15, 2002
	15	Ninghui Li , William H. Winsborough , John C. Mitchell, Distributed credential chain discovery in trust management, Journal of Computer Security, v.11 n.1, p.35-86, February 2003
	16	Victoria Ungureanu, Using certified policies to regulate E-commerce transactions, ACM Transactions on Internet Technology (TOIT), v.5 n.1, p.129-153, February 2005  [doi>10.1145/1052934.1052939]