This talk is an overview of the Oasis access control architecture. This provides both a means for specifying complex authorisation information in an open distributed environment, and an efficient implementation.
Each Oasis service is made responsible for the classification of its clients into roles, using a formal logic to specify the policy for role entry. A client becomes authenticated by presenting credentials to a service and is returned a certificate embodying the proof. Policy statements in one services may refer to roles issued by another. A dynamic proof tree may thus be built which exhibits amongst other things the trust relationships between the services.
Oasis has an efficient, on-line, implementation. A change in state leading to the invalidation of a credential can lead to the rapid, and selective, revocation of any number of dependent certificates.
A prototype system has been implemented and tested.