Abstract
Existing access control systems are typically unilateral in that the enterprise service provider assigns the access rights and makes the access control decisions, and there is no negotiation between the client and the service provider. As access management systems lean towards being user-centric, unilateral approaches can no longer adequately preserve the user’s privacy, particularly where the communicating parties have no pre-existing trust relationships. Establishing sufficient trust is therefore essential before parties can exchange sensitive information. This paper describes a bilateral symmetric approach to access control which deals with privacy and confidentiality simultaneously in distributed transactions. We introduce the concept of Obligation of Trust (OoT) as a privacy assurance mechanism that is built upon the XACML standard. The OoT allows communicating parties to dynamically exchange their privacy requirements, which we term Notification of Obligations (NOB) as well as their committed obligations, which we term Signed Acceptance of Obligations (SAO). We describe some applicability of these concepts and show how they can be integrated into distributed access control systems for stricter privacy and confidentiality control.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Bertino, E., Ferrari, E., Squicciarini, A.: Trust Negotiations: Concepts, Systems and Languages, pp. 27–34. IEEE Computer, Los Alamitos (2004)
W3C: The Platform for Privacy Preferences 1.0 (P3P 1.0). Technical Report (2002)
Langheinrich, E.Z.M.: A P3P Preference Exchange Language 1.0 (APPEL1.0). W3C (April 5, 2002)
OECD: Fair Information Practice. In The Electronic Marketplace A Report To Congress (May 2000), http://www.ftc.gov/reports/privacy2000/privacy2000.pdf
W3C: Platform for Privacy Preferences (P3P) (2004)
Cantor, S.: Shibboleth Architecture. Internet2 Middleware (2005), http://shibboleth.internet2.edu/shibboleth-documents.html
Cantor, S., Kemp, J., Philpott, R., Maler, E.: Security Assertion Markup Language (SAML) V2.0 (March 2005), http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Seamons, K.E., Ryutov, T., Zhou, L., Neuman, C., Leithead, T.: Adaptive Trust Negotiation and Access Control. In: 10th ACM Symposium on Access Control Models and Technologies, Stockholm, Sweden (2005)
Winsborough, W.H., Li, N.: Towards Practical Automated Trust Negotiation. In: Policy 2002. Proceedings of the Third International Workshop on Policies for Distributed Systems and Networks (2002)
Seamons, K.E., Winslett, M., Yu, T., Yu, L., Jarvis, R.: Protecting Privacy during On-line Trust Negotiation. In: 2nd Workshop on Privacy Enhancing Technologies, San Francisco, CA (2002)
Winsborough, W.H., Seamons, K.E., Jones, V.E.: Negotiating Disclosure of Sensitive Credentials. In: 2nd Conference on Security in Communication Networks, Amlfi, Italy (1999)
Bertino, E.F.E., Squicciarini, A.: TNL: An XML-based Language for Trust Negotiations. In: IEEE 4th International Workshop on policies for Distributed Systems and Networks, Lake Como Italy (2003)
Pau, L.-F.: Privacy Negotiation and Implications on Implementations. In: W3C Workshop on Languages for Privacy Policy Negotiation and Semantics-Driven Enforcement (2006)
Preibusch, S.: Privacy Negotiations with P3P. In: W3C Workshop on Languages for Privacy Policy Negotiation and Semantics-Driven Enforcement (2006)
Spantzel, A.B., Squicciarini, A.C., Bertino, E.: Trust Negotiation in Identity Management. IEEE Security & Privacy, 55–63 (2007)
OASIS: eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard (February 1, 2005)
Anderson, A.: Web Services Profile of XACML (WS-XACML) Version 1.0, WD 8. OASIS XACML Technical Committee (December 12, 2006)
University of Salford: Schema for Obligation of Trust (OoT) (December 2006), http://infosec.salford.ac.uk/names/oot/ootSchema/
Mbanaso, U., Cooper, G.S., Chadwick, D.W., Proctor, S.: Privacy Preserving Trust Authorization using XACML. In: TSPUC 2006. Second International Workshop on Trust, Security and Privacy for Ubiquitous Computing, Niagara-Falls, Buffalo-NY (2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Mbanaso, U.M., Cooper, G.S., Chadwick, D., Anderson, A. (2007). Obligations for Privacy and Confidentiality in Distributed Transactions. In: Denko, M.K., et al. Emerging Directions in Embedded and Ubiquitous Computing. EUC 2007. Lecture Notes in Computer Science, vol 4809. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77090-9_7
Download citation
DOI: https://doi.org/10.1007/978-3-540-77090-9_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-77089-3
Online ISBN: 978-3-540-77090-9
eBook Packages: Computer ScienceComputer Science (R0)