This disclosure describes mechanisms for identification, authentication, and authorization of communications between two or more electronic devices.
When electronic devices such as mobile electronic devices and servers engage in communication via a network, it is important that communications be authenticated and access controlled. Participants in a distributed system (such as a collection of electronic devices that can each communicate with each other via one or more communication networks) typically have a need to know with whom they are communicating, and a means of expressing who may perform certain actions or access certain services. The process of identifying and/or verifying a device or its user may be referred to as “authentication.” The process of identifying what actions or services one or more devices or users may perform or use may be referred to as “authorization.”
Groups provide a useful level of indirection for authorization policies, in particular those described by access control lists (ACLs). When ACLs refer to groups, the ACLs can be simple and short. As an example, an ACL may permit access to all principals in the group “FriendlyClients”, which itself consists of users in the group Friends with devices in the group Devices via programs in the group “TrustedApps”. The definitions of these groups can be managed separately from the ACL and shared by many other ACLs.
In distributed systems, the use of groups is not straightforward. For example, it requires a distributed scheme for naming groups. Even with such a scheme, group definitions may not all be available at the time of an ACL check. In addition, groups may have unintended consequences or may contain circularities that no single participant in the system can detect locally. Further, the entities that control the groups may not all be equally trusted. In addition, lookups of group membership may incur the costs of remote communication and require appropriate security and privacy measures.
This document describes methods and devices that are directed to improving authentication and/or authorization in distributed systems.