Lujo Bauer

Carnegie Mellon University

Access Control on the Web via Proof-Carrying Authorization


Proof-carrying authorization (PCA) is a general distributed-authorization framework based on higher-order logic. PCA differs from traditional approaches to distributed authorization in that the burden of proof is shifted from the server to the client. Instead of executing a complicated decision procedure, the server must only verify that a proof -- written in an application-specific subset of higher-order logic -- is valid. This enables a single server to efficiently handle requests from many clients which may use different application-specific logics.

To demonstrate its applicability to real problems, we have used PCA to develop a system for controlling access to web pages.  Our prototype system consists of an HTTP proxy that sits on a client's computer, gathers facts, and constructs proofs on her behalf, and a web server that uses a servlet to verify that the proofs are valid.  Our scheme is sufficiently general to encode useful protocols like certificate revocation and expiration, and efficient enough to be practical in the real world.

This is joint work with Andrew Appel, Edward Felten, and Michael Schneider.

Host:  Frank Pfenning

Principles of Programming Seminars

Wednesday, December 3, 2003
3:30 p.m.
Wean Hall 8220