A general and flexible access-control system for the web

Lujo Bauer, Michael A. Schneider, Edward W. Felten

Research output: Chapter in Book/Report/Conference proceedingConference contribution

61 Scopus citations


We describe the design, implementation, and performance of a new system for access control on the web. To achieve greater flexibility in forming access-control policies – in particular, to allow better interoperability across administrative boundaries – we base our system on the ideas of proof-carrying authorization (PCA). We extend PCA with the notion of goals and sessions, and add a module system to the proof language. Our access-control system makes it possible to locate and use pieces of the security policy that have been distributed across arbitrary hosts. We provide a mechanism which allows pieces of the security policy to be hidden from unauthorized clients. Our system is implemented as modules that extend a standard web server and web browser to use proof-carrying authorization to control access to web pages. The web browser generates proofs mechanically by iteratively fetching proof components until a proof can be constructed. We provide for iterative authorization, by which a server can require a browser to prove a series of challenges. Our implementation includes a series of optimizations, such as speculative proving, and modularizing and caching proofs, and demonstrates that the goals of generality, flexibility, and interoperability are compatible with reasonable performance.

Original languageEnglish (US)
Title of host publicationProceedings of the 11th USENIX Security Symposium
PublisherUSENIX Association
ISBN (Electronic)1931971005, 9781931971003
StatePublished - 2002
Event11th USENIX Security Symposium - San Francisco, United States
Duration: Aug 5 2002Aug 9 2002

Publication series

NameProceedings of the 11th USENIX Security Symposium


Conference11th USENIX Security Symposium
Country/TerritoryUnited States
CitySan Francisco

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality


Dive into the research topics of 'A general and flexible access-control system for the web'. Together they form a unique fingerprint.

Cite this