The conceptual framework of our security architecture is largely based on the theory presented in [Lampson et al. 1991]. In the introduction, we discussed the relationship between the DEC security work and our own. In this section, we describe a number of other efforts related to CRISIS.
SDSI [Rivest & Lampson 1996] is a distributed security infrastructure based on public keys with goals similar to our own. Their emphasis is on defining a standard format for certificates, rights transfer, and name spaces to provide a general security framework for Internet applications. With minimal extensions, SDSI could support CRISIS transfer certificates and remote execution of programs. Our work, however, is the largely orthogonal task of defining how such a framework can be used to provide redundant, high performance, and available security mechanisms for applications requiring secure remote control of wide area resources.
Neuman [Neuman 1993] discusses distributed mechanisms for authorization and accounting. Neuman's work has much the same vision as our own, namely limited capabilities in addition to ACL's. His work proposes a more general capability model. However, the capabilities are not auditable because proxies do not carry a chain of transfers. Further, Neuman's work is secret key as opposed to public key, meaning that synchronous communication is required for each transfer of rights. The trusted third party is responsible for recording transfers and transferring the end result. For example, if P1 transfers rights to P2, and P2 further transfers rights to P3, the trusted third party only passes on P1 transferring rights to P3 to any end reference monitors.
Jaeger and Prakash [Jaeger & Prakash 1995] present a model for discretionary access control in a wide area environment. In their work, principals specify the subset of their privileges that are to be transferred to a script written by a potentially untrusted third party. The actual rights transferred are negotiated between the application writer and the user. In their system implementation in Taos [Wobber et al. 1993] (a secure OS based on [Lampson et al. 1991]), they add dynamic principals for running programs with some subset of a principal's privileges, observing the difficulty of creating temporary principals and updating all necessary ACLs with the new principal name. Their dynamic principals are similar to one of the applications of CRISIS transfer certificates.
The goals of the Legion [Wulf et al. 1995] project are similar to our own in WebOS. In Legion, distributed computation takes place in the context of a distributed object system. Their approach to security is orthogonal to our own, with their primary goal being flexibility. Each legion object is able to implement its own security policy. Presumably, a number of base policies will be implemented which will suit the needs of a vast majority of applications. We believe that flexibility in the security system is a desirable feature; our approach in CRISIS can be viewed as one implementation of security for Legion objects.