A Conceptual Authorization Model for Web Services

  • Paul J. Leach ,
  • Chris Kaler ,
  • Blair Dillaway ,
  • Praerit Garg ,
  • Brian LaMacchia ,
  • Butler Lampson ,
  • John Manferdelli ,
  • ,
  • John Shewchuk ,
  • Dan Simon ,
  • Richard Ward

in Computer Systems: Theory, Technology, and Applications

Published by Springer | 2004

ISBN: 978-0-387-21821-2

This paper was written for a symposium in honor of Roger Needham, February 2003

DOI

This paper describes a conceptual authorization model for Web Services. It is an adaptation of those of Taos [Lamp92] and SDSI [Lamp96] with terms changed to correspond more closely to those introduced with the WS-Security model [WS02]. In contrast to the more formal and mathematical presentation used for Taos and SDSI, this presentation is conceptual and informal, which hopefully may provide more intuition for some readers; it also might provide an outline for the class hierarchy of an object-oriented implementation.

In addition, this model abstracts away from issues of distribution and network security such as authentication [Need78] and encryption (for example, by assuming that messages include the unforgeable identity of the sender and are private and tamperproof) so as to focus on authorization, but it does deal with the extensibility and composability of security services, and partial trust. It also abstracts away from issues of syntax and encoding (for example, ASN.1, proprietary binary formats, and XML) and focuses on semantics.