A Practically Implementable and Tractable Delegation Logic

We address the goal of making Delegation Logic (DL) into a practically implementable and tractable trustmanagement system. DL [22] is a logic-based knowledge representation (i.e., language) for authorization in largescale, open, distributed systems. As introduced in [22], DL inferencing is computationally intractable and highly impractical to implement. We introduce a new version of Delegation Logic that remedies these difficulties. To achieve this, we impose a syntactic restriction and redefine the semantics somewhat. We show that, for this revised version of DL, inferencing is computationally tractable under the same commonly met restrictions for which Ordinary Logic Programs (OLP) inferencing is tractable (e.g., Datalog and bounded number of logical variables per rule). We give an implementation architecture for this version of DL; it uses a delegation compiler from DL to OLP and can modularly exploit a variety of existing OLP inference engines. As proof of concept, we have implemented a large expressive subset of this version of DL, using this architecture. This paper appears in Proceedings of the IEEE 2000 Symposium on Security and Privacy. The expanded Research Report version of this paper gives additional details, including sample output of the implementation.