Authorization in-a-Box

The authorization process is a critical aspect in distributed/federated environment. For example, in federated identity management scenarios or outsourcing scenarios “distributed” decisions and authorizations are made by multiple parties involved in an interaction or business activity.
How to ensure that the remote party or business partner is making the right decisions and carrying out the correct authorization processes, based on agreed policies? I guess that one way to achieve this would be via legal contracts and periodical auditing for compliance checking.
A few years ago Joe Pato, Adrian Baldwin and I had a “complementary” idea, keeping into account also the “policy enforcement” angle. This idea consisted in an “Authorization-in-a-Box” approach. We wrote a technical report, but had no major follow-ups. Perhaps this suggested approach might now be of some interest (of course to be revisited in the current web service frameworks), considering the increased attention in distributed/federated environments and the role that authorization is going to cover in these contexts. The abstract of our technical report follows:
“This paper presents a distributed authorisation model suitable for use in a web service framework where multiple parties are involved in performing a particular transaction. The authorisation model uses a third party authorisation service that checks users or services' credentials against a set of authorisation policies. A traditional service provision model does not scale well for such transactions. The proposed model uses a hardware security appliance to deliver the service to the most appropriate site involved in the transaction. The authorisation model supports a multi-party session so that authorisation policies can be checked and built as part of the web service composition process.”
Comments and discussions are welcome.