A reference model for Authentication and Authorisation Infrastructures respecting privacy and flexibility in b2c eCommerce

Authentication and Authorisation Infrastructures (AAIs) are gaining momentum throughout the Internet. Solutions have been proposed for various scenarios among them academia, grid computing, company networks, and above all eCommerce applications. Products and concepts vary in architecture, security features, target group, and usability containing different strengths and weaknesses. In addition security needs have changed in communication and business processes. Security on the Internet is no longer defined as only security measures for an eCommerce provider against an untrustworthy customer but also vice versa. Consequently, privacy, data canniness, and security are demands in this area. The authors define criteria for an eCommerce provider federation using an AAI with a maximum of privacy and flexibility. The criteria is derived concentrating on b2c eCommerce applications fulfilling the demands. In addition to best practices found, XACML policies and an attribute infrastructure are deployed. Among the evaluated AAIs are Shibboleth, Microsoft Passport, the Liberty Alliance Framework, and PERMIS.

[1]  Hannes Federrath,et al.  Bausteine zur Realisierung mehrseitiger Sicherheit , 1997 .

[2]  Eduardo B. Fernández,et al.  A Pattern System for Access Control , 2004, DBSec.

[3]  David Wasley,et al.  Shibboleth Architecture Protocols and Profiles , 2005 .

[4]  Javier López,et al.  Trust, Privacy and Security in E-Business: Requirements and Solutions , 2005, Panhellenic Conference on Informatics.

[5]  Marco Casassa Mont,et al.  Privacy Enforcement for IT Governance in Enterprises: Doing It for Real , 2005, TrustBus.

[6]  Nora Kamprath,et al.  Supporting attribute-based access control with ontologies , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[7]  Aviel D. Rubin,et al.  Risks of the Passport single signon protocol , 2000, Comput. Networks.

[8]  Rolf Oppliger,et al.  Why have public key infrastructures failed so far? , 2005, Internet Res..

[9]  Hannes Federrath,et al.  Ansätze zur Evaluierung von Sicherheitsinvestitionen , 2005, Sicherheit.

[10]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2003, Future Gener. Comput. Syst..

[11]  José A. Montenegro,et al.  A Practical Approach of X.509 Attribute Certificate Framework as Support to Obtain Privilege Delegation , 2004, EuroPKI.

[12]  Günther Pernul,et al.  ABAC - Ein Referenzmodell für attributbasierte Zugriffskontrolle , 2005, Sicherheit.

[13]  José M. Troya,et al.  A First Approach to Provide Anonymity in Attribute Certificates , 2004, Public Key Cryptography.

[14]  Günther Pernul,et al.  Authentication and Authorisation Infrastructures in b2c e-Commerce , 2005, EC-Web.