RFC 2704 (rfc2704) - Page 2 of 37


The KeyNote Trust-Management System Version 2



Alternative Format: Original Text Document



RFC 2704          The KeyNote Trust-Management System     September 1999


   A trust-management system has five basic components:

   *  A language for describing `actions', which are operations with
      security consequences that are to be controlled by the system.

   *  A mechanism for identifying `principals', which are entities that
      can be authorized to perform actions.

   *  A language for specifying application `policies', which govern the
      actions that principals are authorized to perform.

   *  A language for specifying `credentials', which allow principals to
      delegate authorization to other principals.

   *  A `compliance checker', which provides a service to applications
      for determining how an action requested by principals should be
      handled, given a policy and a set of credentials.

   The trust-management approach has a number of advantages over other
   mechanisms for specifying and controlling authorization, especially
   when security policy is distributed over a network or is otherwise
   decentralized.

   Trust management unifies the notions of security policy, credentials,
   access control, and authorization.  An application that uses a
   trust-management system can simply ask the compliance checker whether
   a requested action should be allowed.  Furthermore, policies and
   credentials are written in standard languages that are shared by all
   trust-managed applications; the security configuration mechanism for
   one application carries exactly the same syntactic and semantic
   structure as that of another, even when the semantics of the
   applications themselves are quite different.

   Trust-management policies are easy to distribute across networks,
   helping to avoid the need for application-specific distributed policy
   configuration mechanisms, access control lists, and certificate
   parsers and interpreters.

   For a general discussion of the use of trust management in
   distributed system security, see [Bla99].

   KeyNote is a simple and flexible trust-management system designed to
   work well for a variety of large- and small-scale Internet-based
   applications.  It provides a single, unified language for both local
   policies and credentials.  KeyNote policies and credentials, called
   `assertions', contain predicates that describe the trusted actions
   permitted by the holders of specific public keys.  KeyNote assertions
   are essentially small, highly-structured programs.  A signed



Blaze, et al.                Informational