Is it possible to implement full distributed authorization? What will be involved?

Yes, implementing distributed authorization is possible, although achieving a truly "full" and seamlessly interoperable system across independent and diverse domains remains complex. It involves making authorization decisions across multiple, potentially autonomous systems without relying on a single, centralized authority for all decisions. For instance, a user in one organization might need to access resources in another organization, requiring a distributed authorization mechanism.

Implementing distributed authorization involves several key components:

• Trust Infrastructure: A robust public-key infrastructure (PKI) is fundamental to establish trust between disparate entities. This includes Certificate Authorities (CAs) issuing digital certificates to bind identities and attributes to public keys, allowing entities to verify each other's credentials across domains.
• Authorization Policies: Mechanisms are needed to define, distribute, and enforce authorization policies that can be interpreted and applied across different resource domains. Policies dictate who can access what resources under which conditions.
• Delegation Mechanisms: Systems must support secure delegation, allowing users or services to delegate specific authorization rights to other entities without compromising the overall security model.
• Secure Communication: All interactions between authorization services, policy decision points, and policy enforcement points must occur over secure channels to prevent tampering or eavesdropping of authorization requests and responses.
• Revocation Systems: An efficient and timely method for revoking access rights or trust relationships is crucial across the distributed environment to respond to security incidents or changes in user status.
• Standardized Protocols: Adopting common protocols for authorization requests, responses, and policy exchange helps ensure interoperability between different systems.

For more on distributed authorization models, you might look at work like J. Kahan's "A distributed authorization model for WWW" (http://www.isoc.org/HMP/PAPER/107/html/paper.html).