Trust Negotiation as an Authorization Service forWeb Services

Like other open computing environments, web services need a scalable method of determining authorized users. We present desiderata for authorization facilities for web services, and analyze potential ways of satisfying them. We propose a third-party authorization system for web services based on trust negotiation, discuss its implementation using the TrustBuilder runtime system for trust negotiation, and present performance results from a stock trading application.

[1]  T. Ziebermayr,et al.  Web service authorization framework , 2004 .

[2]  Marianne Winslett,et al.  Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation , 2003, TSEC.

[3]  Li Zhou,et al.  Adaptive trust negotiation and access control , 2005, SACMAT '05.

[4]  Fabio Massacci,et al.  Interactive Credential Negotiation for Stateful Business Processes , 2005, iTrust.

[5]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System , 1998 .

[6]  Kent E. Seamons,et al.  Advanced Client/Server Authentication in TLS , 2002, NDSS.

[7]  Ernesto Damiani,et al.  Towards securing XML Web services , 2002, XMLSEC '02.

[8]  Trevor Jim,et al.  SD3: a trust management system with certified evaluation , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[9]  Elisa Bertino,et al.  A Trust-Based Context-Aware Access Control Model for Web-Services , 2004, Proceedings. IEEE International Conference on Web Services, 2004..

[10]  Carl A. Gunter,et al.  Policy‐directed certificate retrieval , 2000 .

[11]  Elisa Bertino,et al.  Trust-X: A Peer-to-Peer Framework for Trust Establishment , 2004, IEEE Trans. Knowl. Data Eng..

[12]  Peter Sewell,et al.  Cassandra: distributed access control policies with tunable expressiveness , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[13]  David S. Munro,et al.  In: Software-Practice and Experience , 2000 .

[14]  Marianne Winslett,et al.  PeerTrust: Automated Trust Negotiation for Peers on the Semantic Web , 2004, Secure Data Management.

[15]  Marianne Winslett,et al.  Traust: a trust negotiation-based authorization service for open systems , 2006, SACMAT '06.

[16]  Roger Barga,et al.  Proceedings of the 22nd International Conference on Data Engineering Workshops, ICDE 2006, 3-7 April 2006, Atlanta, GA, USA , 2006, ICDE Workshops.

[17]  Feng Zhu,et al.  A Stateless Network Architecture for Inter-Enterprise Authentication, Authorization and Accounting , 2003, ICWS.

[18]  Ninghui Li,et al.  Automated trust negotiation using cryptographic credentials , 2005, CCS '05.

[19]  Marianne Winslett,et al.  Negotiating Trust on the Web , 2002, IEEE Internet Comput..