Databases Reference
In-Depth Information
a decentralized manner (
i.e.
, within different security domains) has increased
enormously on the Internet. As a result, services are often provided to clients
whose identities are not previously known to the service provider. Similarly,
the participants in a peer-to-peer system need to establish mutual trust in
one another. In such a decentralized environment, the traditional access con-
trol mechanisms such as ACLs cannot be used to secure the system without
excluding vast numbers of valuable and well-intentioned clients and peers.
The trust management (TM) approach, first developed by Blaze
et al.
[11],
aims to provide a basis for authorization in highly decentralized environments
by enabling resource owners to delegate authority to other entities who will
help them identify the appropriate requesters to authorize. In this manner,
resource owners and other policy authors can enlist the assistance of appro-
priate authorities in determining the suitability of individual requesters for
authorization.
Trust management relies on
digital credentials
, which are unforgeable
statements signed by their issuer. Typically, a digital credential contains an
assertion about the properties of one or more principals mentioned in the
credential. The best-known standard for digital credentials is X.509v3 [31],
though many alternatives exist. Most of these schemes rely on public key cryp-
tography: the credential issuer signs the credential using its private key, and
anyone can verify the contents of the credential by obtaining the correspond-
ing public key and checking the signature. In the US, recent legislation such
as the Sarbanes-Oxley Act has forced the widespread adoption of the pub-
lic key infrastructures needed to support digital credentials. Today's digital
credentials are typically identity certificates, i.e., they simply say what pub-
lic key is associated with a particular principal. However, current credential
standards already support the inclusion of additional information describing
a principal's properties, such as one would need for a digital employee ID,
driver's license, or birth certificate.
In TM systems,
security policy
is made by local administrators to specify
access control rules on local resources. Blaze
et al.
[10] said that trust man-
agement systems combined the notion of specifying security policy with the
mechanism for specifying security credentials. The authorization semantics of
most TM systems is
monotonic
in the sense that if any given action is ap-
proved when given a set of evidence
E
(
i.e.
, policies and credentials), then it
will also be approved when given any superset of
E
. This means that no nega-
tive evidence is allowed in the system. Monotonicity ensures fail-safe behavior
in which no potentially dangerous action is allowed by default, simply be-
cause of an inability to find negative credentials. This is especially important
in decentralized environments due to the many factors that can prevent one
from obtaining complete information about all the credentials in the system
(network interruption, uncooperative credential repositories, lost information,
etc.
).
Most discussions of TM systems use the terms “certificate” and “creden-
tial” more or less interchangeably. However, unlike certificates in public key
