Author
Butler Lampson,Martin Abadi,Michael Burrows,Edward Wobber
Abstract
We describe a theory of authentication and a system that implements it. Our theory is
bases on the notion of pricipal and a 'speak for' relation between principals. A simple
principal either has a name or is a communication channel; a compound principal can
express an adobted role or delegated authority. The theory shows how to reason about a
principal's authority by deducing the other principals the other principals that it
can speak for; authenticating a channel is one important application. We use the
theory to explain many existing and proposed security mechanisms. In particular, we
describe the system we have built. It passes principals efficiently as arguments or
results of remote procedure calls, and it handles public and shared key encryption,
name lookup in a large name space, groups of principals, program loading, delegation,
access control, and revocation.