Databases Reference
In-Depth Information
the two parties exchange information about the credentials needed for access.
The access control decision comes then after a complex process, where par-
ties exchange information not only related to the access itself, but also to
additional restrictions imposed by the counterpart. This process, called
trust
negotiation
, has the main goal of establishing trust between the interacting
parties in an automated manner. A number of trust negotiation strategies
have been proposed in the literature, which are characterized by the following
steps.
•
The client first requests to access a resource.
•
The server then checks if the client provided the necessary credentials. In
case of a positive answer, the server grants access to the resource; otherwise
it communicates the client the policies that she has to fulfill.
•
The client selects the requested credentials, if possible, and sends them to
the server.
•
If the credentials satisfy the request, the client is granted access to the
resource.
This straightforward trust negotiation process suffers of privacy problems,
since both the server discloses its access control policy entirely and the client
exposes all her certificates to gain access to a resource. To solve such an
inconvenience, a
gradual trust establishment
process can be enforced [31]. In
this case, upon receiving an access request, the server selects the policy that
governs the access to the service and discloses only the information that it is
willing to show to an unknown party. The client, according to its practices,
decides if it is willing to disclose the requested credentials. Note that this
incremental exchange of requests and credentials can be iteratively repeated
as many times as necessary.
PRUdent NEgotiation Strategy
(PRUNES) is another negotiation strat-
egy whose main goal is to minimize the number of certificates that the client
communicates to the server [30]. It also ensures that the client communicates
her credentials to the server only if the access will be granted. Each party
defines a set of
credential policies
on which the negotiation process is based.
The established credential policies can be graphically represented through a
tree, called
negotiation search tree
, composed of two kinds of nodes:
credential
nodes
, representing the need for a specific credential, and
disjunctive nodes
,
representing the logic operators connecting the conditions for credential re-
lease. The root of the tree represents the resource the client wants to access.
The negotiation process can be seen as a backtracking operation on the tree.
To the aim of avoiding the cost of a brute-force backtracking, the authors pro-
pose the
PRUNES
method to prune the search tree without compromising
completeness or correctness of the negotiation process. The basic idea is that
if a credential has just been evaluated and the state of the system has not
changed too much, then it is useless to evaluate again the same credential.
A large set of negotiation strategies, called
disclosure tree strategy
(DTS)
family [32], has been also defined and proved to be closed. This means that,
