Usable Access Control for the World Wide Web

Dirk Balfanz
Palo Alto Research Center

While ublishing content on the World Wide Web has moved within reach of the non-technical mainstream, controlling access to published content still requires expertise in Web server configuration, public-key certification, and a variety of access control mechanisms. Lack of such expertise can result in unnecessary exposure of content published by non-experts, or can force cautious non-experts to leave their content off-line. Recent research has focused on making access control systems more flexible and powerful, but not on making them easier to use. In this paper, we propose a usable access control systems for the World Wide Web, i.e. a system that is easy to use both for content providers (who want to protect their content from unauthorized access) and (authorized) content consumers (who want hassle-free access to such protected content). Our system can be constructed with judicious use of conventional building blocks, such as access control lists and public-key certificates. We point out peculiarities in existing software that make it unnecessarily hard to achieve our goal of usable access control, and assess the security provided by our usable system.

Keywords: usablilty, access control

Read Paper Read Paper (in PDF)