Ubiquitous computing uses a variety of information for which access
needs to be controlled. For instance, a person's current location is a
sensitive piece of information that only authorized entities should
be able to learn. Several challenges arise in the specification and
implementation of policies controlling access to location
information. For example, there can be multiple sources of location
information, the sources can be within different administrative
domains, different administrative domains might allow different
entities to specify policies, and policies need to be flexible. We
address these issues in our design of a distributed access control
mechanism for a people location system. Our design encodes policies as
digital certificates, which enables decentralized storage of
policies. We also present an algorithm for the discovery of
distributed certificates. Furthermore, we discuss several privacy
issues and show how our design addresses them. To show feasibility of
our design, we built an example implementation based on
SPKI/SDSI certificates. Using measurements, we quantify the influence
of access control on query processing time. We also discuss trade-offs
between RSA-based and DSA-based signature schemes for digital
certificates.