Privilege delegation affords the ability to allow another to act as a surrogate for the delegator. A number of different strategies are relevant to accomplish the delegation process. For example, U.S. Pat. No. 5,339,403 issued to Parker, describes a privilege attribute certificate issued by an authentication server to allow a client access to distributed resources. In a second example, U.S. Pat. No. 5,918,228 issued to Rich, et al. describes a privilege attribute certificate used to “impersonate” a client to other web-based servers. The privilege attribute certificate is generated and issued by a first web server and presented to other servers by the first server as a means to “impersonate” a client for access purposes. A popular form of privilege delegation designed for networks employing TCP/IP protocols is called Kerberos.
Kerberos authenticates the identity of users attempting to log on to a network and includes secure messaging based on symmetric cryptography methods. Kerberos works by granting users “tickets,” as a form of credential which are then used to identify themselves to other network service providers. Each ticket includes information that allows another network service provider to determine that the user has been properly authenticated, analogous to a privilege attribute certificate. The proper ticket is automatically presented to the network service provider as a means to avoid multiple authentication procedures each time a different network service is attempted to be accessed.
In the above cited examples, the privilege attribute certificates or tickets are generated and controlled by the issuing servers rather than the person using the system. The person using the system must therefore trust the delegation strategies employed on the system. Secondly, the server-based systems may not provide sufficient flexibility in the delegation process where the necessary delegation criteria are role-based or rule-based rather than identity based. Lastly, the privilege attribute certificates employed in the relevant art are somewhat vulnerable to attack by a person or entity having access to the certificate generating servers.
For the foregoing reasons, there is a need to incorporate a flexible privilege delegation mechanism into one or more security tokens where the holder of the security token has greater control over the issuance and use of the delegable privileges.