Networked systems such as computing grids, clouds, etc., provide resources to principals. A principal is any entity or actor in a security scenario, such as a user, a portion of code, a running service, an authority, a server, an organization, etc. Principals may possess attributes that are important to a networked system. For example, if the networked system is a simple web server, to gain access to resources on the web server, the principal may need to prove that it possesses a required attribute, e.g., “is an employee”. Access to such a system and its resources is often controlled according to a security policy expressed in a high level policy language, which may be implemented by a separate security system.
Distributed or network security systems may use a decentralized policy language such as the extensible Access Control Markup Language (XACML) or the Security Policy Assertion Language (SecPAL) to express identity, delegate authority, and implement access control requirements. These languages represent principals and resources as elements in the language, and allow policy statements to be written that express authorization requirements.
Such languages currently rely on authentication methods that reveal the identity of principals or subjects. For example, in SecPAL, RSA public keys are commonly used as principal identifiers. By design, an RSA key serves as a unique identifier for an individual, so an RSA key reveals extra information that is not always necessary for the execution of a security policy; releasing such information prevents anonymity. However, under some circumstances an operator of a networked system or service may need to verify only that a principal has a certain attribute (e.g., has paid a fee), without regard for the identity of the principal. In other words, the service operator may wish to allow anonymous access.
Recent advances in cryptography include designs for anonymous credential systems. Using these anonymous credential systems, services can verify useful attributes of a principal without revealing the principal's identity. However, it has not previously been possible to use anonymous credential technology with a policy language. Techniques related to using anonymous credentials in a security policy language are discussed below.