Databases Reference
In-Depth Information
parties during proof construction. For example, if someone asks the university
for Alice's student credential, the university can suggest that they instead ask
Alice or, if the requester
is
Alice, that she contact the university's student ID
repository to obtain her ID credential. This facility of PeerAccess, called
proof
hints
, can be used to encode the credential retrieval strategies of QCM, SD3,
RT
, and other useful techniques.
5 Automated Trust Negotiation
There are many different algorithms that a set of autonomous parties can
follow to establish trust at run time. From just a small sampling, e.g., [14],
idemix
[17], Binder [21], Unipro [68], interactive access control [36], Trust-
χ
[7], Cassandra [6], Protune [12], OSBE and OAcerts [42, 39], [51], PeerAccess
[66], cryptographic-based protocols [41], and [3], we find an amazing diversity
of algorithms for the distributed construction of proofs. Some of the simpler
algorithms have been described in the previous sections of this chapter; for
more sophisticated approaches, space constraints force us to refer the reader
to the literature.
However, all recent approaches to trust negotiation do share the following
advantages over traditional identity-based approaches to authorization:
•
Two previously unacquainted principals can establish
bilateral
trust be-
tween themselves at run time.
•
The authorization policy for a resource can specify the
properties
that
authorized parties must possess, removing the administrative burden of
maintaining access control lists of authorized identities.
•
Trust establishment does not rely on the existence of any trusted third
parties, other than credential issuers.
•
In trust negotiation approaches that involve direct disclosure of creden-
tials, trust can be built up gradually through an iterative process, starting
with less sensitive properties and moving on to more sensitive ones after
a certain level of trust has been established.
•
In trust negotiation approaches that do not involve direct disclosure of cre-
dentials, trust can be established without either principal learning exactly
which properties the other principal possesses.
All approaches to trust negotiation also share a reliance on policy lan-
guages with certain properties [58], including the following:
•
The policy language must possess a well-defined semantics. This implies
that the meaning of the policy in that language must be independent of
any particular implementation of the language. Otherwise, two negotiating
parties can disagree on whether a particular policy has been satisfied by a
set of credentials, leading to chaos.
