Computer Laboratory

Technical reports

A capability-based access control architecture for multi-domain publish/subscribe systems

Lauri I.W. Pesonen

June 2008, 175 pages

This technical report is based on a dissertation submitted December 2007 by the author for the degree of Doctor of Philosophy to the University of Cambridge, Wolfson College.


Publish/subscribe is emerging as the favoured communication paradigm for large-scale, wide-area distributed systems. The publish/subscribe many-to-many interaction model together with asynchronous messaging provides an efficient transport for highly distributed systems in high latency environments with direct peer-to-peer interactions amongst the participants.

Decentralised publish/subscribe systems implement the event service as a network of event brokers. The broker network makes the system more resilient to failures and allows it to scale up efficiently as the number of event clients increases. In many cases such distributed systems will only be feasible when implemented over the Internet as a joint effort spanning multiple administrative domains. The participating members will benefit from the federated event broker networks both with respect to the size of the system as well as its fault-tolerance.

Large-scale, multi-domain environments require access control; users will have different privileges for sending and receiving instances of different event types. Therefore, we argue that access control is vital for decentralised publish/subscribe systems, consisting of multiple independent administrative domains, to ever be deployable in large scale.

This dissertation presents MAIA, an access control mechanism for decentralised, type-based publish/subscribe systems. While the work concentrates on type-based publish/subscribe the contributions are equally applicable to both topic and content-based publish/subscribe systems.

Access control in distributed publish/subscribe requires secure, distributed naming, and mechanisms for enforcing access control policies. The first contribution of this thesis is a mechanism for names to be referenced unambiguously from policy without risk of forgeries. The second contribution is a model describing how signed capabilities can be used to grant domains and their members’ access rights to event types in a scalable and expressive manner. The third contribution is a model for enforcing access control in the decentralised event service by encrypting event content.

We illustrate the design and implementation of MAIA with a running example of the UK Police Information Technology Organisation and the UK police forces.

Full text

PDF (2.5 MB)

BibTeX record

  author =	 {Pesonen, Lauri I.W.},
  title = 	 {{A capability-based access control architecture for
         	   multi-domain publish/subscribe systems}},
  year = 	 2008,
  month = 	 jun,
  url = 	 {},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-720}