bcn@CS.WASHINGTON.EDU (Clifford Neuman) (03/27/91)
The following report is available from for anonymous FTP from
n1dmm.cs.washington.edu in /bcn/pbaa.PS. This paper describes the
intended use of the authorization data field in V5 of the Kerberos
protocol (though the idea is not restricted to Kerberos).
Proxy-Based Authorization and Accounting
for Distributed Systems
B. Clifford Neuman
Department of Computer Science and Engineering
University of Washington
Technical Report 91-02-01
March 1991
ABSTRACT
In recent years there has been much interest in the secure authentication
of principals across computer networks. There has been less discussion
of distributed mechanisms to support authorization and accounting.
Authorization and accounting are more closely related to authentication
than most people realize. By generalizing the authentication model to
support restricted proxies, both authorization and accounting can be
easily supported. This paper shows how to support restricted proxies in
an authentication system, presents an appropriate model for authorization
and accounting, and describes how they may be easily implemented on top
of restricted proxies.