An application of policy-based signature: proof-carrying proxy certificates

The term proxy certificate is used to describe a certificate that is issued by an end user for the
purpose of delegating responsibility to another user so that the latter can perform certain actions on behalf
of the former. Such certificates have been suggested for use in a number of applications, particularly in
distributed computing environments where delegation of rights is common. In this paper, we present a
new concept called proof-carrying proxy certificates. Our approach allows to combine the verification
of the validity of the proxy certificate and the authorization decision making in an elegant way that enhances
the privacy of the end user. In contrast with standard proxy certificates that are generated using
standard (public-key) signature schemes, the proposed certificates are generated using a signature scheme
for which the validity of a generated signature proves the compliance of the signer with a credential-based
policy. We present a concrete realization of our approach using bilinear pairings over elliptic curves and
we prove its security under adapted attack models.