Databases Reference
In-Depth Information
if two parties use different strategies from the DST family, they will be able
to negotiate trust. A
Unified Schema for Resource Protection
(UniPro) [33]
has been proposed to protect the information specified within policies. UniPro
gives (opaque) names to policies and allows any named policy
P
1
to have its
own policy
P
2
, meaning that the content of
P
1
can only be disclosed to parties
who satisfy
P
2
. Another solution is the
Adaptive Trust Negotiation and Access
Control
(ATNAC) approach [34]. This method grants (or denies) access on
the basis of a
suspicion level
associated with subjects. The suspicion level
is not fixed but may vary on the basis of the probability that the user has
malicious intents.
It is important to note that in recent, more complicated, scenarios disclo-
sure policies can be defined both on resources and on credentials [22]. In this
case, the client, upon receiving a request for a certificate, can answer with a
counter-request to the server for another certificate.
3.2 Overview of a Credential-Based Access Control Framework
One of the first solutions providing a uniform framework for credential-based
access control specification and enforcement was presented by Bonatti and
Samarati [22]. The proposed access control system includes an access control
model, a language, and a policy filtering mechanism.
The paper envisions a system composed of two entities: a
client
and a
server
, interacting through a predefined negotiation process. The server is
characterized by a set of resources. Both the client and the server have a
port-
folio
, which is a collection of credentials (i.e., statements issued by authorities
trusted for making them [35]) and declarations (statements issued by the party
itself). Credentials correspond to digital certificates and are guaranteed to be
unforgeable and verifiable through the public key of the issuing authority.
To the aim of performing gradual trust establishment between the two
interacting parties, the server defines a set of
service accessibility rules
,and
both the client and the server define their own set of
portfolio disclosure rules
.
The service accessibility rules specify the necessary and sucient conditions
for accessing a resource, while portfolio disclosure rules define the conditions
that govern the release of credentials and declarations. Both the two classes
of rules are expressed by using a logic language. A special class of predicates
is represented by
abbreviations
. Since there may exist a number of alternative
combinations of certificates allowing access to a resource,
abbreviation pred-
icates
may be used for reducing the communication cost of such certificates.
The predicates of the language adopted exploit the current
state
(i.e., parties'
characteristics, certificates already exchanged in the negotiation, and requests
made by the parties) to take a decision about a release. The information about
the state is classified as
persistent state
, when the information is stored at the
site and spans different negotiations, and
negotiation state
, when it is acquired
during the negotiation and is deleted when the same terminates.
