TAAC: A Policy-Based Access Control System

Ian Jacobi

5 May 2008

Overview

• Developed access control functionality on top of existing accountability system design
• Implemented HTTP access control mechanism on top of AIR reasoner
• Developed Firefox extension to handle authentication

TAAC System Design

• Designed to work with accountability approach to information protection
• Logs all accesses for later accountability checking
• Modularity permits nested dependency structure

TAAC Server Design

A dumb client requires a 'smart' server.

TAAC Supports Recursion

A server acts as a client.

Cutting out the Reasoning

• Relatively easy to cut out the reasoning through introduction of credentials
• Credentials like HTTP authentication cache or cookies
• Digests (e.g. md5(openID + ":" + privateKey)) can provide some security
• Additional security by filtering credential file

TAAC Server Implementation

• Utilizes mod_python for integration with existing AIR reasoner
• OpenID serves as authentication mechanism

TAACcess Firefox Extension

• Handles TAAC HTTP Headers seamlessly
• Uses internal preference to save identity
• Some work done on XMLHttpRequests using TAAC

Current Issues

• Implementation is still preliminary
• Server code is very slow
• OpenID isn't RESTful: XHR won't work easily

Future Plans

• TAAC Server
• Work to develop more complex policies and mechanisms in AIR to import external information sources into policies
• Implement separate credential files to cache authentications
• Clean up log format
• Profile server to reduce response time and server load
• TAACcess Extension
• Discuss with Firefox team about hooks to retry ALL connections on low level
• Decide appropriate mechanism for XHR authentications
• Allow Tabulator to aid configuration of identity
• Work with groups working on 'RDFAuth', 'FOAF+SSL'

Redistribution License