Postulates for Revocation Schemes

In access control frameworks with the possibility of delegating permissions and administrative rights, delegation chains can form. There are different ways to treat these delegation chains when revoking rights, which give rise to different revocation schemes. Hagström et al. [11] proposed a framework for classifying revocation schemes, in which the different revocation schemes are defined graph-theoretically. At the outset, we identify multiple problems with Hagström et al.’s definitions of the revocation schemes, which can pose security risks. This paper is centered around the question how one can systematically ensure that improved definitions of the revocation schemes do not lead to similar problems. For this we propose to apply the axiomatic method originating in social choice theory to revocation schemes. Our use of the axiomatic method resembles its use in belief revision theory. This means that we define postulates that describe the desirable behaviour of revocation schemes, study which existing revocation frameworks satisfy which postulates, and show how all defined postulates can be satisfied by defining the revocation schemes in a novel way.