PERMIS Project Web Site

PERMIS Contents

Home

Essentials Integration Projects Documents Developers Get Involved 		Modular PERMIS Project

Delegation Issuing Service (DIS)

The Delegation Issuing Service (DIS) is a Web Service that receives requests from authorised delegators to delegate a subset of their attributes to a colleague or a subordinate. The DIS issues the X.509 Attribute Certificates on behalf of these delegators. This simplifies the Privilege Management Infrastructure:
  • Real user empowerment - users are empowered by the DIS to delegate (a subset of) their attributes to anyone else in their domain at any time without any human or administrative intervention.
  • Simpler Key Management - delegators do not need public-private key pairs to issue the Attribute Certificates since the DIS issues them on their behalf.
  • Only valid ACs are issued - the DIS is driven by a Delegation Policy and it checks that the requested delegation does not violate this policy before the delegated AC is issued.
  • Simpler for managers to move between posts - when a delegator leaves his post, in the general case his roles (i.e. attribute certificates) will be revoked. In a conventional X.509 PMI this means that all the delegated X.509 ACs that he or she issued will also become invalid, and will need to be re-issued by the new replacement manager. When the DIS is used to issue the ACs, this automatic revocation does not happen, since the ACs are only issued "on behalf of" a delegator - the actual issuer of the ACs is the DIS, and since its ACs have not been revoked, the delegated ones are also still valid.
  • Open web services interface - delegations can be created from anywhere at any time by any delegator
  • "trust but verify" - a full secure audit trail is kept by the DIS since each delegated AC contains the name of the delegator as well as the delegatee. Thus it is always possible to find out who delegated what to whom
Here is a powerpoint presentation about dynamic delegation of authority that shows the DIS in action. It was given at the JISC showcase event in London on 18 July 2006.

The DIS consists of two components:

  • The DIS Web Service v5.1.4 (.zip archive).This is the DIS web service that delegates ACs on behalf of delegators.
  • DIS Web Interface v5.1.4 (.zip archive). This is an Apache web site that acts as proxy between a human user and the DIS. The human user uses a conventional web browser to access the Apache web site, and the Apache server acts as a client to the DIS, proxying the user's request for delegation to the DIS.

A list of changes since the last release can be found here

Follow the service installation guide and the client installation guide. You can test whether your installation works as expected by following this guide.

.
Last updated 20 July 2011