Ubiquitous computing uses a variety of information for which access needs to be controlled. For instance, a person's current location is asensitive piece of information, which only authorized entities should be able to learn. Several challenges arise in the specification and implementation of policies controlling access to location information. For example, there can be multiple sources of location information, the sources can be within different administrative domains, different administrative domains might allow different entities to specify policies, and policies need to be flexible. Weaddress these issues in our design of an access control mechanism for a people location system. Our design encodes policies as digital certificates. We present an example implementation based on SPKI/SDSI certificates. Using measurements, we quantify the influence of access control on query processing time. We also discuss trade-offs between RSA-based and DSA-based signature schemes for digital certificates.