SAFE: A Declarative Trust-Agile System with Linked Credentials

Secure Access For Everyone (SAFE), is an integrated system for managing trust

using a logic-based declarative language. Logical trust systems authorize each

request by constructing a proof from a context---a set of authenticated logic

statements representing credentials and policies issued by various principals

in a networked system. A key barrier to practical use of logical trust systems

is the problem of managing proof contexts: identifying, validating, and

assembling the credentials and policies that are relevant to each trust

decision.

SAFE addresses this challenge by (i) proposing a distributed authenticated data

repository for storing the credentials and policies; (ii) introducing a

programmable credential discovery and assembly layer that generates the

appropriate tailored context for a given request. The authenticated data

repository is built upon a scalable key-value store with its contents named by

secure identifiers and certified by the issuing principal. The SAFE language

provides scripting primitives to generate and organize logic sets representing

credentials and policies, materialize the logic sets as certificates, and link

them to reflect delegation patterns in the application. The authorizer fetches

the logic sets on demand, then validates and caches them locally for further

use. Upon each request, the authorizer constructs the tailored proof context

and provides it to the SAFE inference for certified validation.

Delegation-driven credential linking with certified data distribution provides

flexible and dynamic policy control enabling security and trust infrastructure

to be agile, while addressing the perennial problems related to today's

certificate infrastructure: automated credential discovery, scalable

revocation, and issuing credentials without relying on centralized authority.

We envision SAFE as a new foundation for building secure network systems. We

used SAFE to build secure services based on case studies drawn from practice:

(i) a secure name service resolver similar to DNS that resolves a name across

multi-domain federated systems; (ii) a secure proxy shim to delegate access

control decisions in a key-value store; (iii) an authorization module for a

networked infrastructure-as-a-service system with a federated trust structure

(NSF GENI initiative); and (iv) a secure cooperative data analytics service

that adheres to individual secrecy constraints while disclosing the data. We

present empirical evaluation based on these case studies and demonstrate that

SAFE supports a wide range of applications with low overhead.

Inheritance of the CENP-A chromatin domain is spatially and temporally constrained at human centromeres.

BACKGROUND: Chromatin containing the histone variant CENP-A (CEN chromatin) exists as an essential domain at every centromere and heritably marks the location of kinetochore assembly. The size of the CEN chromatin domain on alpha satellite DNA in humans has been shown to vary according to underlying array size. However, the average amount of CENP-A reported at human centromeres is largely consistent, implying the genomic extent of CENP-A chromatin domains more likely reflects variations in the number of CENP-A subdomains and/or the density of CENP-A nucleosomes within individual subdomains. Defining the organizational and spatial properties of CEN chromatin would provide insight into centromere inheritance via CENP-A loading in G1 and the dynamics of its distribution between mother and daughter strands during replication. RESULTS: Using a multi-color protein strategy to detect distinct pools of CENP-A over several cell cycles, we show that nascent CENP-A is equally distributed to sister centromeres. CENP-A distribution is independent of previous or subsequent cell cycles in that centromeres showing disproportionately distributed CENP-A in one cycle can equally divide CENP-A nucleosomes in the next cycle. Furthermore, we show using extended chromatin fibers that maintenance of the CENP-A chromatin domain is achieved by a cycle-specific oscillating pattern of new CENP-A nucleosomes next to existing CENP-A nucleosomes over multiple cell cycles. Finally, we demonstrate that the size of the CENP-A domain does not change throughout the cell cycle and is spatially fixed to a similar location within a given alpha satellite DNA array. CONCLUSIONS: We demonstrate that most human chromosomes share similar patterns of CENP-A loading and distribution and that centromere inheritance is achieved through specific placement of new CENP-A near existing CENP-A as assembly occurs each cell cycle. The loading pattern fixes the location and size of the CENP-A domain on individual chromosomes. These results suggest that spatial and temporal dynamics of CENP-A are important for maintaining centromere identity and genome stability.