Databases Reference
In-Depth Information
cross-organizational resource sharing, this imposes an excessive administrative
burden in our world of rapidly changing organizational structures and part-
nerships. It becomes entirely ad hoc, chaotic, and unmanageable when the
requirements for authorization have nothing to do with formal organizational
aliations, such as a senior citizen discount or letting family and friends ac-
cess an on-line photo album. This is because the approach relies too heavily
on pre-established trust relationships.
Over the last 10-15 years, researchers have proposed new techniques that
enable on-line parties to establish trust on the fly, as the need arises. Bina
et
al.
proposed using characteristics other than identity, attested to by known
authorities in digital certificates, as a basis for authorization on the Inter-
net [8]. Blaze
et al.
introduced a complementary approach to authorization
based on delegation of privileges and coined the term
trust management
to
describe it [11]. Ellison
et al.
introduced a similar scheme called SPKI [22].
Rivest
et al.
introduced a scheme called SDSI [54] that provides an ingenious
way to introduce names and bind them to public keys controlled by indi-
viduals and groups, which greatly facilitates identifying authorized principals
electronically. Following these seminal works, a great deal of work has been
done, much of which we will survey in this chapter.
Trust management systems typically use cryptographic credentials to con-
vey information relevant to authorization decisions. The authorization deci-
sion determines whether a given set of credentials demonstrate that a given
request to access a resource, such as a web or peer-to-peer service, is autho-
rized, which is to say that the access request
complies
with current policy gov-
erning that resource. This raises two additional problems that we also survey
here. First, the credentials are issued in a decentralized manner, and somehow
the relevant credentials need to be collected or otherwise made available to
the authorization evaluation process. Second, some credentials carry sensitive,
confidential information, and may need to be subject to access control them-
selves when dealing with an unfamiliar resource provider or requester. The
same may also be true of policy: an access control policy may give clues about
the nature of the resource it protects. For example, if a patient's prescription
can be viewed only by their pharmacist or by their parent, then one can guess
that the prescription is for a child. To preserve the privacy of the resources
that they protect, policies themselves may need protection just like any other
resource. In other words, access to the contents of a policy may need to be
governed by another access control policy. These additional authorization de-
cisions can also be based on credentials. Thus, there is a need for a process
of credential exchange in which both parties seek to enable a positive au-
thorization decision for the main resource request, while also supporting the
additional authorization decisions that may be necessary to achieve this. This
process is
trust negotiation
[64, 65], an automated approach to establishing
bilateral trust between two parties at run time.
Current and emerging practice implements authorization decisions in mid-
dleware or, often, even in the application. Consequently, the goal of this
