VPAF: a flexible framework for establishing and monitoring prolonged authorization relationships

We describe a generic framework for determining and monitoring access rights derived from credential documents. Distributed authorization systems intended to support collaborative coalitions (such as trust management systems) typically incorporate mechanisms to both validate credentials, and to determine authorization. This conjunction of distinct functions increases complexity of both components and limits overall flexibility. Furthermore, while authorization decisions frequently enable the commencement of a prolonged relationship, current authorization systems are designed to authorize instantaneous transactions and provide no mechanisms to detect and propagate revocation after an authorization decision is made. VPAF (a validated and prolonged authorization framework) will separate these duties in a manner that permits credential validation and authorization decisions to be managed separately. VPAF is intended to enable vigilant monitoring of prolonged authorization relationships that span mutually distrustful administrative domains such as is common when multiple organizations collaborate.