Abstract. The use of RFID technology in complex and distributed environments often leads to a multi-domain RFID system in which security issues such as authentication of tags and readers, granting access to data, and revocation of readers turn into an administrative challenge. In this paper, we propose a new public-key-based mutual authentication protocol that addresses the reader revocation problem while maintaining efficiency and identity privacy. In addition, our new protocol integrates fine-grained access control and key establishment with mutual authentication. The core of our solution is the use of the concepts of key-splitting and distributed signatures to solve the validation and revocation problem. We show that our protocols can be implemented on RFID tags using lightweight implementations of elliptic curve cryptography.