XML-based distributed access control system

The use of attribute certificates and the concept of mobile policies have been proposed to overcome some of the limitations of the role based access control (RBAC) paradigm and to implement security requirements such as the "originator controlled" (ORCON) policy. Mobile policies are attached to the data that they control and enforced by their execution in trusted servers. In this paper we extend this idea to allow the execution of the policies in untrusted systems. Our extension allows policies to be bound to the data but not attached to. Through this modification security administrators are able to change policies dynamically and transparently. Additionally, we introduce X-ACS, an XML-based language designed to express policies in a simple and unambiguous way overcoming the limitations of other approaches. Important features of X-ACS are that it can be used by processors with limited capabilities such as smart cards while allowing the automated validation of policies.