Authorization in the digital library: secure access to services across enterprise boundaries

In large scale networked information systems (e.g. the World Wide Web), the community of subjects who may make requests to a service provider such as a digital library will often extend beyond the local community to include individuals about whom little prior knowledge, if any, exists at the provider. This poses challenges for resource protection which do not resist in traditional computing environments. The paper presents a formal framework for secure access to information and services in such systems, where both the size of the user base and a variety of local enterprise dependent representations of user attributes must be considered. In our framework, an individual supplies digital credentials akin to traditional paper credentials with a request for service. To decide whether to grant the request, the recipient interprets the credentials using knowledge about the credential issuers (more precisely, of what conditions must hold for the issuers to have issued the credentials) rather than, or in addition to, specific knowledge about the requester. Our formalism for access control also provides a basis for security oriented smart yellow pages facilities, which are directory services that manage queryable registries of information about service providers and their requirements