Usability of Decentralized Authorization Systems - A Comparative Study

One new type of a security system is a decentralized authorization system that allows an owner of a resource to decide who can use this resource - even without trust towards external third parties. The idea itself is fascinating, but how about its usability? Security systems are generally considered to be difficult to understand and use. This paper compares the usability features and problems of three decentralized authorization systems: PolicyMaker, KeyNote and SPKI/SDSI. The analysis is based on the Heuristic Evaluation and Cognitive Walkthrough usability test methods. The analysis suggests that approaches of public key infrastructure type, such as the SPKI/SDSI authorization system, have the best usability features but even then the current state of the art is far from the end-user requirements. Designing and measuring usability of these systems is hard, complicated by the fact that security is only a means to achieve the user goal, not the goal as such.