Databases Reference
In-Depth Information
was licensed to practice in Bob's country, then she could try to obtain that
credential on line. For example, it might be available from a national registry,
from the doctor's oce, from her insurance company, or from her mother.
Alice's negotiation strategy must make the decision about whether to try to
look for a missing credential, and guide any subsequent search.
While some approaches to trust negotiation still assume that the two par-
ties agree on the exact strategy that they will use during a negotiation, this
is unnecessarily restrictive in general. Agreeing on an exact choice of strategy
compromises local autonomy and can leave a principal vulnerable to attack
by a negotiating partner who does not follow the agreed-upon strategy. Re-
searchers have shown that for trust negotiation approaches that directly dis-
close credentials, it is sucient for the two negotiating parties to agree upon
a broad set of strategies that may be used during the negotiation, including
strategies described in the first four items in the list above [68]. Each par-
ticipant has free choice of any strategy from the set, and is still guaranteed
that the negotiation will result in trust being established if it is theoretically
possible to do so; in other words, all strategies in the set are guaranteed to
be
interoperable
. These guarantees apply to the negotiation between the
resource requester and provider (i.e., they do not consider ancillary credential
discovery searches), and they still apply if policies themselves may contain sen-
sitive information (i.e., the disclosure of a policy is governed by an additional
access control policy).
5.2 Avoiding Information Leakage during Trust Negotiation
Researchers recognized early on that negotiation strategies that directly dis-
close credentials may leak information about credentials and policies that are
never disclosed. By observing the behavior of a party, one may also be able
to determine what strategy they are using, which can be used as leverage
in extracting additional information. We describe some of these leaks in this
section.
A credential may contain more information than needed to satisfy a pol-
icy. For example, Alice can prove that she is over 21 by presenting a digital
driver's license. However, the license also gives her home address, exact date
of birth, weight, and other details that are not needed to prove that she is
over 21. To address these shortcomings, researchers have proposed versions of
digital credentials that allow one to hide information that is irrelevant to the
negotiation at hand, such as Alice's home address [29, 60]. More sophisticated
(and more expensive) schemes provide even more privacy, by avoiding direct
disclosure of credentials. For example, Alice can prove that she is over 21,
without disclosing her exact age [16, 17, 30, 15, 39]. These schemes allow Al-
ice to prove to Bob that she has the properties specified in his policy, without
Bob learning exactly what properties she has. For example, in the pharmacy
example, Bob might learn that Alice is authorized to place an order, without
