Databases Reference
In-Depth Information
ferent policy compliance checkers. This enables reasonable comparisons to be
made between specific system components without requiring modification to
the runtime system itself. Further information regarding the specifics of the
TrustBuilder2 framework can be found in the programmer documentation and
user manuals included with the TrustBuilder2 software distribution.
6 Open Issues and Trends
6.1 Policy Engineering and User Interfaces
The properties of those who can access a resource are specified in the ac-
cess control policy determined by the resource's owner. Any mistake in the
specification or implementation of the policy can potentially be found and
automatically exploited by adversaries. Unfortunately, it is very easy to make
a mistake when writing a policy. As Cornwell et al. report from their testbed
deployment of user-created privacy policies in a pervasive computing environ-
ment [19]: “Rules specified at the beginning of the [trials] only captured their
policies 59% of the time. [...] Even when using the rules that users ended up
with at the end of the experiments and re-running these rules on all 30 (or 45)
scenarios, decisions were only correct 70% of the time.” The authors suggest
that using machine learning techniques to learn users' privacy policies might
be more effective.
More generally, software engineering methods to help people write, up-
date, analyze, and understand authorization policies are an open research
area. A great amount of research is needed on environments for policy speci-
fication, analysis, and debugging; HCI issues in policy engineering, including
user-friendly policy languages and interfaces to policy engineering environ-
ments [38]; ways to explain authorization decisions to people, and to suggest
how they can get a negative decision reversed [35, 13]; and how to compile
operational policies from high-level abstract policies.
As a small aid, we expect that many credential issuers will supply sug-
gested default policies to protect the credentials they issue. For example,
Alice's doctor's oce can supply a suggested policy with each prescription
written by the doctor, saying that the prescription should only be disclosed
to its owner (Alice) or to a licensed physician. For more complex situations,
issuers could offer a Chinese-menu-style set of options. The use of default
policies will shield credential bearers from the need to understand policy lan-
guages, and will reduce the number of loopholes in their policies.
6.2 Real-world Trust Negotiation Deployments
After several years of research, trust negotiation protocols have yet to make
their way into the mainstream; the one exception is the inclusion of
idemix
in
the Trusted Platform Module specification, for use in anonymous attestation.
