Integrity Constraints in Trust Management∗

We introduce the use, monitoring, and enforcement of integrity constraints in trust management-style au-thorization systems. We consider what portions of the policy state must be monitored to detect viola-tions of integrity constraints. Then we address the fact that not all participants in a trust management system can be trusted to assist in such monitoring, and show how many integrity constraints can be mon-itored in a conservative manner so that trusted par-ticipants detect and report if the system enters a pol-icy state from which evolution in unmonitored por-tions of the policy could lead to a constraint viola-tion.