A logic-based knowledge representation for authorization with delegation

Abstract

We introduce Delegation Logic (DL), a logic-based knowledge representation (i.e., language) that deals with authorization in large-scale, open distributed systems. Of central importance in any system for deciding whether requests should be authorized in such a system are delegation of authority, negation of authority, and conflicts between authorities. DL's approach to these issues and to the interplay among them borrows from previous work on delegation and trust management in the computer security literature and previous work on negation and conflict handling in the logic programming and nonmonotonic reasoning literature, but it departs from previous work in some crucial ways. We present the syntax and semantics of DL and explain our novel design choices. We focus on delegation, including explicit treatment of delegation depth and delegation to complex principles. Compared to previous logic-based approaches to authorization, DL provides a novel combination of features: it is based on logic programs, expresses delegation depth explicitly, and supports a wide variety of complex principles (including but not limited to k-out-of-n thresholds). Compared to previous approaches to trust management, DL provides another novel feature: a concept of proof-of-compliance that is not entirely ad-hoc and that is based on model theoretic semantics (just as usual logic programs have a model-theoretic semantics).