Network Working Group M. Blaze
Request for Comments: 2704 J. Feigenbaum
Category: Informational J. Ioannidis
AT&T Labs - Research
U. of Pennsylvania
The KeyNote Trust-Management System Version 2
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright (C) The Internet Society (1999). All Rights Reserved.
This memo describes version 2 of the KeyNote trust-management system.
It specifies the syntax and semantics of KeyNote `assertions',
describes `action attribute' processing, and outlines the application
architecture into which a KeyNote implementation can be fit. The
KeyNote architecture and language are useful as building blocks for
the trust management aspects of a variety of Internet protocols and
Trust management, introduced in the PolicyMaker system [BFL96], is a
unified approach to specifying and interpreting security policies,
credentials, and relationships; it allows direct authorization of
security-critical actions. A trust-management system provides
standard, general-purpose mechanisms for specifying application
security policies and credentials. Trust-management credentials
describe a specific delegation of trust and subsume the role of
public key certificates; unlike traditional certificates, which bind
keys to names, credentials can bind keys directly to the
authorization to perform specific tasks.
Blaze, et al. Informational [Page 1]RFC 2704 The KeyNote Trust-Management System September 1999
A trust-management system has five basic components:
* A language for describing `actions', which are operations with
security consequences that are to be controlled by the system.
* A mechanism for identifying `principals', which are entities that
can be authorized to perform actions.
* A language for specifying application `policies', which govern the
actions that principals are authorized to perform.
* A language for specifying `credentials', which allow principals to
delegate authorization to other principals.
* A `compliance checker', which provides a service to applications
for determining how an action requested by principals should be
handled, given a policy and a set of credentials.
The trust-management approach has a number of advantages over other
mechanisms for specifying and controlling authorization, especially
when security policy is distributed over a network or is otherwise
Trust management unifies the notions of security policy, credentials,
access control, and authorization. An application that uses a
trust-management system can simply ask the compliance checker whether
a requested action should be allowed. Furthermore, policies and
credentials are written in standard languages that are shared by all
trust-managed applications; the security configuration mechanism for
one application carries exactly the same syntactic and semantic
structure as that of another, even when the semantics of the
applications themselves are quite different.
Trust-management policies are easy to distribute across networks,
helping to avoid the need for application-specific distributed policy
configuration mechanisms, access control lists, and certificate
parsers and interpreters.
For a general discussion of the use of trust management in
distributed system security, see [Bla99].
KeyNote is a simple and flexible trust-management system designed to
work well for a variety of large- and small-scale Internet-based
applications. It provides a single, unified language for both local
policies and credentials. KeyNote policies and credentials, called
`assertions', contain predicates that describe the trusted actions
permitted by the holders of specific public keys. KeyNote assertions
are essentially small, highly-structured programs. A signed
Blaze, et al. Informational [Page 2]RFC 2704 The KeyNote Trust-Management System September 1999
assertion, which can be sent over an untrusted network, is also