Skip to Main Content
We describe a system for access control on the Web that is based on the ideas of proof-carrying authorization (PCA). Our system is implemented as modules that extend a standard Web server and Web browser to use PCA to control access to Web pages. The Web browser generates proofs mechanically by iteratively fetching proof components until a proof can be constructed. We provide for iterative authorization, by which a server can require a browser to prove a series of challenges. Our implementation includes a series of optimizations, such as speculative proving, and modularizing and caching proofs, and demonstrates that the goals of generality, flexibility, and interoperability are compatible with reasonable performance.