Databases Reference
In-Depth Information
would disclose the credential or disclose the fact that she does not possess it.
This approach is also effective if non-possession is sensitive. However, it relies
on the willingness of individuals to behave in the same manner whether or
not they possess the sensitive attribute—and for those who do not possess
it, there may be little incentive to behave in this manner, as the negotiation
will progress faster if they immediately confess that they do not have the
attribute.
Another solution with moderate runtime costs involves the use of
acknowl-
edgement policies
[63]. In this scheme, Alice has an acknowledgement policy
(ack-policy) for each possible sensitive credential, regardless of whether she
has that credential or not. She only discloses whether she has the credential
after the ack-policy has been satisfied. This approach also relies on the willing-
ness of people who do not possess a sensitive attribute to act as though they
did, even though it will prolong negotiations. The other disadvantage of this
approach is that users will have many more policies, and policy specification
and maintenance is a huge practical challenge.
Another way to address the problem is to abstract away from requesting
specific credentials, and instead request a particular attribute [59]. For ex-
ample, one can request
age
instead of a
driver's license
. With the help of an
ontology of concepts and credential contents, a party can choose which creden-
tial to disclose to prove possession of the desired attribute, in such a manner
that as little sensitive information as possible is disclosed in the process. For
example, Alice might choose to prove her age by disclosing her passport rather
than her driver's license, as the latter includes her home address and other
sensitive information not present in a passport. The ontology can also be used
to help respond to requests for a particular attribute by disclosing either more
specific or more general information than was requested. For example, if asked
to prove North American residency, a party might instead prove that they live
in Mexico.
In all approaches where parties directly disclose credentials to one another,
a credential owner has no guarantee that the other party will not show her
disclosed credentials and policies to additional parties. In other words, there
is no guarantee, or even any suggestion, that others will respect her disclo-
sure policies. PeerAccess [66] addresses this problem by requiring recipients
of information to ensure that future recipients of that information also sat-
isfy the original owner's disclosure policies; however, a malicious party could
simply ignore this requirement. Another low-cost option is to employ P3P
during trust negotiation, as proposed for the privacy-preserving version of the
Trust-
χ
framework for TN [60]. Under this approach, information owners can
examine the P3P policies of their negotiation partners, before disclosing any
credentials or policies. Of course, a malicious party might not abide by their
own P3P policy. In addition, when a credential is forwarded to a third party,
the original owner does not have the opportunity to inspect the P3P policy
of that party and approve the transfer. If these are significant concerns, then
