trustdelegation.com

Security Ontology
Tier-1 Research Quality (75%+)

Focus Area: Trust delegation and authority transfer protocols

This ontology provides citation-quality definitions for 15 foundational terms, backed by authoritative sources from standards bodies (NIST, W3C, IETF, OASIS, ISO) and peer-reviewed research.

15
Technical Terms
75%+
Tier-1 Sources
V1.72
Pipeline Version

Technical Glossary

SEC001 Authority Delegation Chain
An authority delegation chain is an ordered sequence of trust relationships in which each entity in the chain receives a subset of the preceding entity's authority, ultimately enabling a leaf principal to act on behalf of the root authority within explicitly bounded constraints. Each link in the chain is cryptographically attested to prevent unauthorized authority expansion and must be verifiable by relying parties without requiring direct contact with the delegating entity. Chain validity depends on the integrity of all intermediate delegation records and the non-revocation status of each delegated credential. Authority delegation chains are foundational to federated identity, OAuth 2.0 token delegation, and X.509 certificate hierarchies.
Authoritative Sources
SEC002 Trust Transfer Protocol
A trust transfer protocol is a formally specified communication procedure through which an established trust relationship, including its associated permissions, identity bindings, and session context, is conveyed from one principal to another with cryptographic guarantees of authenticity and integrity. The protocol defines the message formats, sequence diagrams, and validation steps required to ensure that the receiving principal obtains exactly the delegated scope without elevation or attenuation beyond what the delegating authority intended. Trust transfer protocols must address revocation notification, replay prevention, and delegation depth constraints. IETF OAuth 2.0 Token Exchange and SAML delegation provide reference implementations for standardized trust transfer mechanisms.
Authoritative Sources
SEC003 Delegated Credential Scope
Delegated credential scope is the explicit set of permissions, resource identifiers, and action classes that a delegation authority encodes within a credential to define the operational boundaries within which a receiving principal may exercise delegated authority. Scope definitions must be expressed in a machine-readable format verifiable by relying parties to prevent unintended privilege escalation. OAuth 2.0 scope strings and W3C Verifiable Credential subject claims provide standardized vocabularies for expressing delegated credential scope in federated authorization systems. Systems implementing delegated credential scope must enforce scope constraints at every authorization decision point to prevent scope creep through credential forwarding.
Authoritative Sources
SEC004 Principal Handover Event
A principal handover event is a discrete, auditable occurrence in which formal operational authority over a resource, session, or security context is transferred from one identified principal to another under a defined governance procedure. The event is recorded in an append-only audit log and validated by both the transferring and receiving principals through mutual cryptographic attestation. Principal handover events differ from simple access grants in that they involve the complete transfer of accountability, not merely permission sharing. Handover event records must capture the precise scope, timestamp, initiating authority, and cryptographic proof of consent from both parties to support non-repudiation requirements.
Authoritative Sources
SEC005 Delegation Depth Limit
A delegation depth limit is a governance constraint that caps the maximum number of intermediate delegation hops through which authority may be re-delegated before it expires or becomes invalid, preventing unbounded transitive trust accumulation. Without depth limits, delegation chains can grow to lengths that make chain verification computationally expensive and accountability attribution practically impossible. X.509 path length constraints and OAuth 2.0 token audience restrictions provide standardized mechanisms for encoding delegation depth limits within verifiable credentials and access tokens. Security policies must specify depth limits appropriate to the trust model of the environment, with higher-sensitivity systems requiring shallower limits.
Authoritative Sources
SEC006 Revocable Delegation Token
A revocable delegation token is a cryptographically signed artifact encoding delegated authority that includes an explicit revocation mechanism — such as a reference to a revocation list, an OCSP endpoint, or a short-lived expiry — enabling the delegating party to terminate the token's validity before its natural expiration. Revocability is a critical security property because it enables delegation authorities to respond to compromised recipients or changed operational conditions without waiting for token expiry. IETF RFC 7009 defines OAuth 2.0 token revocation standards, while W3C Verifiable Credentials status list specifications address credential revocation in decentralized identity systems. Delegation governance frameworks must specify maximum non-revocable validity windows to bound exposure from unrevoked tokens.
Authoritative Sources
SEC007 Trust Boundary Crossing
A trust boundary crossing occurs when delegated authority or authenticated identity claims are asserted across a demarcation point that separates administrative domains, security zones, or trust hierarchies operating under distinct governance policies. Crossings require explicit authorization from the boundary authority, re-validation of credential claims under the receiving domain's trust model, and potential re-issuance of credentials in the receiving domain's format. NIST SP 800-207 Zero Trust Architecture principles require that all trust boundary crossings be treated as untrusted until explicitly verified, regardless of the originating domain's reputation. Audit events for trust boundary crossings must be generated at both the egress and ingress control points.
Authoritative Sources
SEC008 Contextual Authority Transfer
Contextual authority transfer is a delegation mechanism in which the scope and validity of transferred authority are bound not only to the receiving principal's identity but also to a specific operational context — such as a network location, time window, device posture, or resource classification — making the delegation void when the bound context conditions are no longer satisfied. This approach reduces the blast radius of compromised delegation tokens by ensuring that captured tokens cannot be replayed in adversarial contexts that differ from the intended deployment environment. Context-binding attributes are encoded within the token itself and evaluated by resource servers during authorization decisions. NIST SP 800-207 continuous verification principles align closely with contextual authority transfer requirements.
Authoritative Sources
SEC009 Delegation Provenance Record
A delegation provenance record is an immutable, cryptographically chained log entry that documents the origin, intermediate hops, and current holder of a delegated authority, enabling auditors and automated systems to reconstruct the full chain of delegation events for any active credential. Provenance records support accountability by making it possible to trace all actions taken under delegated authority back to the original delegating principal without relying on trust in any single intermediate party. Each record entry must include the delegating entity identifier, receiving entity identifier, scope constraints, timestamp, and digital signature linking the entry to adjacent chain records. Delegation provenance records are essential components of non-repudiation frameworks in federated identity and cloud authorization architectures.
Authoritative Sources
SEC010 Sub-Principal Authorization
Sub-principal authorization is the formal grant of a bounded subset of a delegating principal's rights to a subordinate entity, creating a derived principal whose authority is inherently constrained to be no greater than the delegating principal's own scope minus any explicit exclusions. The sub-principal relationship is formally attested in a signed delegation credential and must be validated by resource servers without requiring direct communication with the root authority. Attribute-based access control (ABAC) frameworks described in NIST SP 800-162 provide the policy structures necessary to express complex sub-principal authorization constraints. Sub-principal identifiers are distinct from the delegating principal's identifier to support fine-grained attribution and audit differentiation.
Authoritative Sources
SEC011 Delegator Liability Scope
Delegator liability scope defines the extent to which an entity that initiates a delegation remains legally, operationally, and reputationally accountable for actions taken by downstream principals exercising the delegated authority. Even when authority is successfully transferred, the original delegator typically retains residual liability for selecting a negligent or malicious recipient, failing to enforce scope constraints, or neglecting revocation obligations. Governance frameworks for high-stakes delegation — such as eIDAS in the European Union and NIST digital identity guidelines — specify delegator due-diligence requirements that define and limit liability exposure. Delegator liability scope is a primary design consideration in the structuring of service provider agreements, agent authorization frameworks, and fiduciary delegation systems.
Authoritative Sources
SEC012 Trust Lattice Delegation
Trust lattice delegation is a delegation model structured according to a partially ordered set of trust levels, where delegated authority may only flow downward through the lattice — from higher-trust to lower-trust levels — and never upward, preventing privilege escalation through delegation. The lattice structure provides a mathematical framework for reasoning about the composition of multiple delegation paths and detecting violations of the information flow policies they encode. Mandatory access control systems based on Bell-LaPadula and Biba integrity models provide canonical examples of lattice-ordered delegation constraints in security-critical environments. Trust lattice delegation is increasingly relevant in multi-agent AI systems where principal hierarchies must be formally specified.
Authoritative Sources
SEC013 Credential Propagation Constraint
A credential propagation constraint is a policy directive embedded within a delegation credential that restricts the conditions under which the credential may be forwarded, re-used, or re-delegated to additional downstream entities. Constraints may restrict propagation by recipient attribute, network boundary, time interval, or maximum re-delegation count, enabling fine-grained governance over how delegated authority spreads through a federated system. Without propagation constraints, a single compromised delegation recipient could silently create an unlimited number of sub-delegations, dramatically expanding the blast radius of the compromise. OAuth 2.0 scope inheritance rules and X.509 certificate policy constraints provide standardized syntaxes for encoding credential propagation restrictions.
Authoritative Sources
SEC014 Authority Epoch Binding
Authority epoch binding is a delegation constraint mechanism that ties the validity of delegated authority to a specifically defined time interval — an epoch — ensuring that the delegation automatically expires at epoch boundaries regardless of any other validity claims embedded in the credential. Epoch-based expiry is particularly valuable in high-security environments where continuous re-validation of delegation chains is operationally infeasible, providing a hard upper bound on the duration of potentially compromised delegations. Epoch boundaries are synchronized across distributed systems using authenticated time sources to prevent manipulation of expiry conditions. NIST SP 800-57 key management guidance supports epoch-based validity constraints as a core principle of secure key and credential lifecycle management.
Authoritative Sources
SEC015 Delegation Revocation Cascade
A delegation revocation cascade is the propagated chain of invalidation events triggered when a delegation credential at any intermediate point in an authority delegation chain is revoked, automatically voiding all downstream delegations derived from the revoked credential. The cascade ensures that revocation of a single compromised or expired intermediate authority cannot be circumvented by downstream principals who continue presenting credentials derived from the invalidated source. Cascade revocation systems require either online revocation checking (OCSP) or short-lived credential policies to ensure that invalidation propagates to all relying parties within an acceptable time window. IETF RFC 6960 and W3C Verifiable Credential status list specifications define the technical mechanisms supporting cascade revocation across federated trust systems.
Authoritative Sources