Usable access control for the world wide web

Abstract

While publishing content on the World Wide Web has moved within reach of the nontechnical mainstream, controlling access to published content still requires expertise in Web server configuration, public-key certification, and a variety of access control mechanisms. Lack of such expertise results in unnecessary exposure of content published by nonexperts, or force cautious nonexperts to leave their content off-line. Recent research has focused on making access control systems more flexible and powerful, but not on making them easier to use. We propose a usable access control systems for the World Wide Web, i.e., a system that is easy to use both for content providers (who want to protect their content from unauthorized access) and (authorized) content consumers (who want hassle-free access to such protected content). Our system is constructed with judicious use of conventional building blocks, such as access control lists and public-key certificates. We point out peculiarities in existing software that make it unnecessarily hard to achieve our goal of usable access control, and assess the security provided by our usable system.