Databases Reference
In-Depth Information
In this section, we describe research efforts to abandon the assumption
that a negotiating party has exactly one possible message that it can send
at each point during a negotiation, dictated by a common distributed proof
construction algorithm shared by all participants. Instead, two negotiating
parties begin their negotiation by agreeing on a negotiation
protocol
,whichis
a set of conventions about the types of messages they will send to one another
and any restrictions on the ordering of those messages [68]. Within those
conventions, each party has freedom to choose the content of its messages.
This approach is intended for situations in which parties disclose (send) their
credentials and policies to one another.
In addition to a protocol, each negotiating party needs to have a
trust
negotiation strategy
, i.e., its own algorithm that determines the content of
each message that it sends out, based on its own credentials plus the messages
that it has received so far. Every strategy must ensure that all disclosures are
safe
, i.e., if a particular credential is disclosed, then the policy governing
access to that credential has already been satisfied by previous disclosures.
For example, Alice's prescription should not be disclosed until Bob has proved
that he is a pharmacist. Some example strategies:
•
Make every possible disclosure of the credentials on hand. In the pharmacy
example, this strategy will lead Alice to disclose her doctor's credential
immediately—and probably her library card, frequent flyer cards, CPR
course certification, and many other irrelevant credentials as well.
•
Disclose every credential on hand that is relevant to the negotiation. For
example, Alice can disclose every credential of hers that has been men-
tioned in the policies previously disclosed by the other party.
•
Disclose a minimal set of credentials on hand that will advance the state
of the negotiation, where “minimal” is defined using set inclusion. The
definition of what it means to advance the state of the negotiation can be
surprisingly complex [68].
•
Disclose a minimal set of credentials on hand that will advance the state
of the negotiation, where “minimal” is defined using a system of weights
over the credentials. For example, a party can give low weights to the
credentials that it does not consider very sensitive, to steer the negotiation
toward disclosure of those credentials.
•
Use a cryptographic protocol that will allow the two parties to determine
whether access is authorized, without letting them learn how the access
policy is satisfied (or, in some variants, what the policy was) [16, 17, 30,
15, 24, 39]
•
For the less sensitive parts of the negotiation, use one of the direct dis-
closure strategies mentioned above. For more sensitive aspects, use one of
the cryptographic protocols mentioned in the previous item [41].
A negotiating partner may request a credential that a party does not have
on hand, but might be able to obtain over the internet at run time through
credential discovery. For example, if Alice did not have proof that her doctor
