Abstract
In open distributed systems, the verification of properties of subjects is a crucial task for authorization.
Very often access to resources is based on policies that express (possibly complex) requirements in terms
of what are referred to variously as identity properties, attributes, or characteristics of the subject. Example
characteristics include whether the subject is (operating on behalf of) a user of a certain age or having a
certain credit rating, or is an organization having certain accreditation, to name just a few. In a distributed
system having no central authority on subject characteristics, evaluation of such policy requirements is a
challenging task. In this paper we provide an approach according to which an entity, referred to as verifier,
can evaluate a query concerning properties related to the identity of a subject, which may be required for
the purpose of authorizing some action. The present contribution concerns the reuse of query results. We
consider issues related to temporal validity (i.e., expiration and revocation of identity properties) as well as
issues related to confidentiality when one entity reuses query results computed by another entity. We employ
constraint logic programming as the foundation of our policy rules and query evaluation. This provides a
very general, flexible basis, and enable our work to be applied more or less directly to several existing policy
frameworks. The process of evaluation of a query against a subject identity is traced through a structure,
referred to as identity proof tree, that carries all information proving that a policy requirement is met.
