Authorization by Documents

Abstract

These days, ICT service environments have dramatically changed in their complexity. Accordingly, related business logics for business processes such as provisioning, resource limit, conditional authorization and delegation have grown in its complexity. In this paper, we generalize the idea of access tokens of OAuth, and propose “authorization by documents.” In our model, a user submits a document as evidence of privilege claim, and a server verifies the document to prove the appropriateness of the user's privilege. A document can be complicated, reflecting some business flow in an institution. If the process and result of business flow are expressed by using documents, the evidence as documents can reflect arbitrarily complex business flow. For this purpose, we formalize documents, and define document tree logic (DTL) as a variant of CTL* to express the policies associated with documents. Typical business processes including request and approval, delegation, and approval by document circular are expressed in DTL, and verified by using documents as evidence.