Credential-Based Access Control Extensions to XACML

Access control and authentication systems are currently undergoing a paradigm shift towards openness and user-centricity where service providers communicate to the users what information they need to provide to gain access to a given resource. This paradigm shift is a crucial step towards allowing users to manage their identities and privacy. To ensure the service provider of the validity of the presented information, the latter is typically attested to by a trusted issuer or identity provider. There are multiple means to transmit such attestation to the service provider including X.509 certificates, anonymous credentials, and OpenIDs. In this position paper, we advocate to abstract all attestation means into the concept of a ‘credential’ and propose to extend XACML so that it allows service providers to specify the set of credentials that a user is required to present to get access to a given resource. Our extensions not only allow one to express conditions on the credentials that the user has to present, but also which attributes have to be disclosed, and to whom, and which statements the user has to consent to before being granted access.