Limited Delegation for Client-Side SSL

Delegation is the process wherein an entity Alice designates an entity Bob to speak on her behalf. In password-based security systems, delegation is easy: Alice gives Bob her password. In the real world, endusers find this feature rather useful. However, security officers find it infuriating: by sharing her password, Alice gives all of her privileges to Bob, who then becomes indistinguishable from her. As enterprises move to PKI for client authentication, such secret sharing becomes impractical. Although security officers appreciate this, end-users may likely be frustrated, because this more secure approach to authentication and authorization prevents their ad hoc but reasonable delegation. In this paper, we present a solution that satisfies users as well as security officers: using X.509 proxy certificates (in a non-standard way) so that user Alice can delegate a subset of her privileges to user Bob in a secure, decentralized way, for Web-based applications. We validate this design with an SSL-based prototype: an extension for the Mozilla Firefox Web browser and a module for the Apache Web server that allow them to handle multiple chains of these certificates.