The KeyNote Trust-Management System Version 2
RFC 2704

Document Type RFC - Informational (September 1999; No errata)
Authors Joan Feigenbaum  , John Ioannidis  , Angelos Keromytis  , Matt Blaze 
Last updated 2013-03-02
Stream Legacy
Formats plain text html pdf htmlized bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 2704 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                           M. Blaze
Request for Comments: 2704                                 J. Feigenbaum
Category: Informational                                     J. Ioannidis
                                                    AT&T Labs - Research
                                                            A. Keromytis
                                                      U. of Pennsylvania
                                                          September 1999

             The KeyNote Trust-Management System Version 2

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.


   This memo describes version 2 of the KeyNote trust-management system.
   It specifies the syntax and semantics of KeyNote `assertions',
   describes `action attribute' processing, and outlines the application
   architecture into which a KeyNote implementation can be fit.  The
   KeyNote architecture and language are useful as building blocks for
   the trust management aspects of a variety of Internet protocols and

1.  Introduction

   Trust management, introduced in the PolicyMaker system [BFL96], is a
   unified approach to specifying and interpreting security policies,
   credentials, and relationships; it allows direct authorization of
   security-critical actions.  A trust-management system provides
   standard, general-purpose mechanisms for specifying application
   security policies and credentials.  Trust-management credentials
   describe a specific delegation of trust and subsume the role of
   public key certificates; unlike traditional certificates, which bind
   keys to names, credentials can bind keys directly to the
   authorization to perform specific tasks.

Blaze, et al.                Informational                      [Page 1]
RFC 2704          The KeyNote Trust-Management System     September 1999

   A trust-management system has five basic components:

   *  A language for describing `actions', which are operations with
      security consequences that are to be controlled by the system.

   *  A mechanism for identifying `principals', which are entities that
      can be authorized to perform actions.

   *  A language for specifying application `policies', which govern the
      actions that principals are authorized to perform.

   *  A language for specifying `credentials', which allow principals to
      delegate authorization to other principals.

   *  A `compliance checker', which provides a service to applications
      for determining how an action requested by principals should be
      handled, given a policy and a set of credentials.

   The trust-management approach has a number of advantages over other
   mechanisms for specifying and controlling authorization, especially
   when security policy is distributed over a network or is otherwise

   Trust management unifies the notions of security policy, credentials,
   access control, and authorization.  An application that uses a
   trust-management system can simply ask the compliance checker whether
   a requested action should be allowed.  Furthermore, policies and
   credentials are written in standard languages that are shared by all
   trust-managed applications; the security configuration mechanism for
   one application carries exactly the same syntactic and semantic
   structure as that of another, even when the semantics of the
   applications themselves are quite different.

   Trust-management policies are easy to distribute across networks,
   helping to avoid the need for application-specific distributed policy
   configuration mechanisms, access control lists, and certificate
   parsers and interpreters.

   For a general discussion of the use of trust management in
   distributed system security, see [Bla99].

   KeyNote is a simple and flexible trust-management system designed to
   work well for a variety of large- and small-scale Internet-based
   applications.  It provides a single, unified language for both local
   policies and credentials.  KeyNote policies and credentials, called
   `assertions', contain predicates that describe the trusted actions
   permitted by the holders of specific public keys.  KeyNote assertions
   are essentially small, highly-structured programs.  A signed

Blaze, et al.                Informational                      [Page 2]
RFC 2704          The KeyNote Trust-Management System     September 1999

   assertion, which can be sent over an untrusted network, is also
   called a `credential assertion'.  Credential assertions, which also
   serve the role of certificates, have the same syntax as policy
   assertions but are also signed by the principal delegating the trust.

   In KeyNote:
Show full document text