In Dartmouth's "Greenpass" project, we're building an
experimental system to explore two levels of authorization
issues in the emerging information infrastructure. On a
practical level, we want to enable only authorized users to
access an internal wireless network while also permitting
appropriate users to delegate internal access to external
guests, and doing this all with standard client software. On
a deeper level, PKI needs to be part of this emerging
information infrastructure since sharing secrets is not
workable. However, the traditional approach to PKI---with a
centralized hierarchy based on global names and heavy-weight
X.509 certificates---has often proved cumbersome. On this
level, we want to explore alternative PKI structures that
might overcome these barriers.
By using SPKI/SDSI delegation on top of X.509 certificates
within EAP-TLS authentication, we provide a flexible,
decentralized solution to guest access that reflects
real-world authorization flow, without requiring guests to
download nonstandard client software. Within the "living
laboratory" of Dartmouth's wireless network, this project
lets us solve real problem with wireless networking, while
also experimenting with trust flows and testing the limits
of current tools.
N. Goffee, S. Kim, S.W. Smith, P. Taylor, M. Zhao, J. Marchesini.
"Greenpass: Decentralized, PKI-based Authorization for Wireless LANs."
3rd Annual PKI Research and Development Workshop.
NIST. April 2004.