Carnegie Mellon University
Access Control on the Web via Proof-Carrying Authorization
Proof-carrying authorization (PCA) is a general
distributed-authorization framework based on higher-order logic. PCA
differs from traditional approaches to distributed authorization in
that the burden of proof is shifted from the server to the client.
Instead of executing a complicated decision procedure, the server must
only verify that a proof -- written in an application-specific subset
of higher-order logic -- is valid. This enables a single server to
efficiently handle requests from many clients which may use different
To demonstrate its applicability to real problems, we have used PCA to
develop a system for controlling access to web pages. Our
prototype system consists of an HTTP proxy that sits on a client's
computer, gathers facts, and constructs proofs on her behalf, and a web
server that uses a servlet to verify that the proofs are valid.
Our scheme is sufficiently general to encode useful protocols like
certificate revocation and expiration, and efficient enough to be
practical in the real world.
This is joint work with Andrew Appel, Edward Felten, and Michael
Host: Frank Pfenning
of Programming Seminars
Wednesday, December 3, 2003
Wean Hall 8220