When personal machines are incorporated into distributed systems, privacy becomes important. In our view, the mere existence of personal machines implies a new direction in computer security research. Rather than solely protecting centralized resources from unauthorized access, protecting the interests of the individual becomes the focus. For example, users will want to decide for themselves when and to whom access to their resources should be granted. In contrast, consider a system with centralized control, such as Kerberos [15]. In Kerberos, the trust relation between the system and its users is asymmetric and the organization maintaining the system dictates when and to whom access to resources should be granted. It is impossible for a user to generate credentials, either inside or outside Kerberos, that will be valid outside of its realms. Consequently, users cannot delegate access to their own resources at will. This lack of control over personal resources is an architectural concern, and not in any way related to the cryptographic technology that is applied in the system (symmetric or asymmetric cryptography).
Armed with a Personal Digital Assistant (PDA), users will challenge centralized models of authentication and access control by demanding to be in authority of their own resources. In essence, a PDA can provide the user with a Trusted Computing Base (TCB) [2]. The TCB gives leverage in situations where the user accesses resources remotely or wants to delegate access rights to other users.
A system that relies on PDAs for a part of its security creates a new set of engineering challenges. This article examines a problem that is rather specific to mobile computing: how to cope with circumstances where there is low or no connectivity between a user's machine and the system components critical to some operations. Our focus is on how authority can be delegated from one user to another without the requirement of communication with any kind of server.
PDAs are often not connected to a computer network. Even so, delegation of authority should be possible. Delegation may have to take place indirectly and possibly over unconventional paths -- such as part of a telephone conversation. Consider the following scenario: Alice and Bob are having a conversation on the phone, and Alice wants to grant Bob access to a file of hers. Since she has her TCB at hand, she should be able to generate sufficient credentials to enable Bob to access the file. This problem is denoted ``offline delegation of access rights'' (initially described in [6]). We describe how the problem comes about and manifests itself, what the implications are, and presents a solution to it. Some relevant details of an implementation are also presented.
The remainder of this article is structured as follows. Section 2 starts out by arguing why offline delegation is desirable, and presents the environment in which a solution has been implemented. Section 3 discusses the security constraints while Section 4 discusses the protocols that are used. Section 5, describes some relevant implementation details. Then, Section 6 discusses aspects of the TCB, the assumptions made about the PDA and (secure) channels that are present in the system. Finally, the conclusions are drawn in Section 7.