Compliance Checking for Usage-Constrained Credentials in Trust Negotiation Systems

  • Jinwei Hu
  • Khaled M. Khan
  • Yun Bai
  • Yan Zhang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7483)


We propose an approach to placing usage-constraints on RT credentials; issuers specify constraints by designing non-deterministic finite automata. We show by examples that this approach can express constraints of practical interest. We present a compliance checker in the presence of usage-constraints, especially for trust negotiation systems. Given an RT policy, the checker is able to find all minimal satisfying sets, each of which uses credentials in a way consistent with given constraints. The checker leverages answer set programming, a declarative logic programming paradigm, to model and solve the problem. We also show preliminary experimental results: supporting usage-constraints on credentials incurs affordable overheads and the checker responds efficiently.


Policy Language Special Symbol Proof Tree Compliance Check Trust Negotiation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Baral, C.: Knowledge Representation, Reasoning and Declarative Problem Solving. Cambridge University Press (2003)Google Scholar
  2. 2.
    Bauer, L., Garriss, S., Reiter, M.K.: Distributed proving in access-control systems. In: IEEE Symposium on Security and Privacy, pp. 81–95 (2005)Google Scholar
  3. 3.
    Bauer, L., Jia, L., Sharma, D.: Constraining credential usage in logic-based access control. In: CSF, pp. 154–168 (2010)Google Scholar
  4. 4.
    Becker, M.Y.: Information flow in credential systems. In: CSF, pp. 171–185 (2010)Google Scholar
  5. 5.
    Huth, M., Ryan, M.: Logic in Computer Science: modelling and reasoning about systems. Cambridge University Press (2004)Google Scholar
  6. 6.
    Lee, A.J., Winslett, M.: Towards an efficient and language-agnostic compliance checker for trust negotiation systems. In: ASIACCS, pp. 228–239 (2008)Google Scholar
  7. 7.
    Li, J., Li, N., Winsborough, W.H.: Automated trust negotiation using cryptographic credentials. ACM Trans. Inf. Syst. Secur. 13(1) (2009)Google Scholar
  8. 8.
    Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust-management framework. In: IEEE Symposium on Security and Privacy, pp. 114–130 (2002)Google Scholar
  9. 9.
    Seamons, K.E., Winslett, M., Yu, T., Smith, B., Child, E., Jacobson, J., Mills, H., Yu, L.: Requirements for policy languages for trust negotiation. In: POLICY, pp. 68–79 (2002)Google Scholar
  10. 10.
    Sipser, M.: Introduction to the Theory of Computation (2005)Google Scholar
  11. 11.
    Smith, B., Seamons, K.E., Jones, M.D.: Responding to policies at runtime in trustbuilder. In: POLICY, pp. 149–158 (2004)Google Scholar
  12. 12.
    Winsborough, W.H., Li, N.: Towards practical automated trust negotiation. In: POLICY, pp. 92–103 (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Jinwei Hu
    • 1
  • Khaled M. Khan
    • 2
  • Yun Bai
    • 3
  • Yan Zhang
    • 3
  1. 1.Department of Computer ScienceTU DarmstadtGermany
  2. 2.Department of Computer Science and EngineeringQatar UniversityQatar
  3. 3.School of Computing and MathematicsUniversity of Western SydneyAustralia

Personalised recommendations