SPKI performance and certificate chain reduction
Authorisation certificate based access control owes much of its expressive power to delegation; delegation enables distributed access control management, where the authorisation decisions are manifested as certificate chains. Unfortunately, these chains have to be evaluated every time a right is used, and if the right is used repeatedly, this can result in significant performance overhead. However, if the chains are replaced with reduction certificates, this overhead can be cut down. In this paper we discuss performance in SPKI and how it can be improved with certificate chain reduction. We elaborate on certificate chains, reduction certificates, and their performance implications, the choice of issuers of reduction, and take a look at the problems of reducing chains with online validity checks.
Full Text: PDF