Abstract
In automated trust negotiation (ATN), two parties exchange digitally
signed credentials that contain attribute information to establish trust
and make access control decisions. Because the information in question
is often sensitive, credentials are protected according to access
control policies. In traditional ATN, credentials are transmitted
either in their entirety or not at all. This approach can at times fail
unnecessarily, either because a cyclic dependency makes neither
negotiator willing to reveal her credential before her opponent, because
the opponent must be authorized for all attributes packaged together in
a credential to receive any of them, or because it is necessary to fully
disclose the attributes, rather than merely proving they satisfy some
predicate (such as being over 21 years of age). Recently, several
cryptographic credential schemes and associated protocols have been
developed to address these and other problems. However, they can be
used only as fragments of an ATN process. This paper introduces a
framework for ATN in which the diverse credential schemes and protocols
can be combined, integrated, and used as needed. A policy language is
introduced that enables negotiators to specify authorization
requirements that must be met by an opponent to receive various amounts
of information about certified attributes and the credentials that
contain it. The language also supports the use of uncertified
attributes, allowing them to be required as part of policy satisfaction,
and to place their (automatic) disclosure under policy control.
Key alpha
privacy, access control, trust negotiation, digital credential
