Assuring security and privacy for digital library transactions on the Web: client and server security policies

Often an information source on the Web would like to provide different classes of service to different clients. In the autonomous, highly distributed world of the Web, the traditional approach of using authentication to differentiate between classes of clients is no longer sufficient, as knowledge of a client's identity will often not suffice to determine whether a client is authorized to use a service. In (Ching et al., 1996) we proposed the use of digital credentials to help solve this problem; but their use will in turn introduce a bevy of new problems associated with credential management. In this paper we propose the use of server security policies and client credential submission policies to aid in the management of a client's digital credentials. We propose a structure for such policies, and briefly describe an implementation of personal security assistants and server security assistants that embodies our proposed approach.

[1]  Smart cards , 1992, CompEuro 1992 Proceedings Computer Systems and Software Engineering.

[2]  R.W. Baldwin,et al.  Naming and grouping privileges to simplify security management in large databases , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  Marianne Winslett,et al.  Authorization in the digital library: secure access to services across enterprise boundaries , 1996, Proceedings of the Third Forum on Research and Technology Advances in Digital Libraries,.

[4]  David Chaum,et al.  A Secure and Privacy-protecting Protocol for Transmitting Personal Information Between Organizations , 1986, CRYPTO.

[5]  David Chaum,et al.  Showing Credentials without Identification Transfeering Signatures between Unconditionally Unlinkable Pseudonyms , 1990, AUSCRYPT.

[6]  Thomas R. Gruber,et al.  The Role of Common Ontology in Achieving Sharable, Reusable Knowledge Bases , 1991, KR.

[7]  Elisa Bertino,et al.  An Authorization Model for a Distributed Hypertext System , 1996, IEEE Trans. Knowl. Data Eng..

[8]  Marianne Winslett,et al.  Credentials for privacy and interoperation , 1995, Proceedings of 1995 New Security Paradigms Workshop.

[9]  José Vázquez-Gómez,et al.  Multidomain security , 1994, Comput. Secur..

[10]  Martín Abadi,et al.  Authentication and Delegation with Smart-cards , 1991, TACS.

[11]  Simon S. Lam,et al.  Authorizations in Distributed Systems: A New Approach , 1993, J. Comput. Secur..

[12]  Thomas R. Gruber,et al.  A translation approach to portable ontology specifications , 1993, Knowl. Acquis..

[13]  Dan M. Nessett Factors Affecting Distributed System Security , 1987, IEEE Transactions on Software Engineering.

[14]  Jonathan T. Trostle,et al.  Applicability of Smart Cards to Network User Authentication , 1994, Comput. Syst..

[15]  Selim G. Akl,et al.  Cryptographic solution to a problem of access control in a hierarchy , 1983, TOCS.

[16]  Timothy W. Finin,et al.  Enabling Technology for Knowledge Sharing , 1991, AI Mag..

[17]  Dan M. Nessett Factors Affecting Distributed System Security , 1986, 1986 IEEE Symposium on Security and Privacy.

[18]  M. R. Genesereth,et al.  Knowledge Interchange Format Version 3.0 Reference Manual , 1992, LICS 1992.

[19]  Teresa F. Lunt Access control policies: Some unanswered questions , 1989, Comput. Secur..

[20]  Stephen T. Kent,et al.  Internet Privacy Enhanced Mail , 1993, CACM.

[21]  Deborah Estrin Controls for Interorganization Networks , 1987, IEEE Transactions on Software Engineering.

[22]  Ravi S. Sandhu,et al.  Role-based access control: a multi-dimensional view , 1994, Tenth Annual Computer Security Applications Conference.

[23]  FikesRichard,et al.  Enabling technology for knowledge sharing , 1991 .