The last decade of improvement in service offerings over the Internet offers the hope that many kinds of sensitive interactions between strangers can be carried out electronically, without requiring physical transmission of paper credentials to establish trust. In this short paper, I describe one way of converting the current paper-based approach to establishing trust into an electronic approach that minimizes human intervention. I also describe the theoretical and systems issues that are raised by this approach. 1 What kinds of sensitive interactions do we want to accomplish electronically? Last weekend I bought twelve shirts for my husband at a going-out-of-business sale. The lady behind the counter took my credit card, looked at the hologram on the front of the card, ran the card through her scanner, and waited while the computer behind the scanner checked to see that the card had not been revoked and that sufficient credit was available for me to buy all those shirts. Then the cash register printed out a receipt, which I signed. The lady behind the counter compared my signature to the signature on the back of the credit card. After a long pause, she said dubiously, “I guess they’re the same.” In this manner, we two strangers carried out a face-to-face business transaction. The system we used is far from perfect, as it is vulnerable to attack at several points along the line. For example, credit cards can be forged (hence the hologram), stolen (hence the automatic phone call to a remote center to check for revocation, the example signature on the back, and the signature comparison), or expired (hence the automatic check for expiration). My privacy is not well served by the system, since the credit card company knows about all my purchases and likes to sell that information to third parties. Still, with all its weaknesses, the system seems to work fairly well. I would like to see the same ease of interaction between strangers on line, when they come together to carry out a transaction. In this case, the interaction could be between an individual and (a representative of) an organization, as in my previous example; or it could be between two individuals, or two organizations. The scenario could involve an ordinary purchase, as in the example above; participation in an on-line auction; a request to access medical records, military data pertinent to a joint exercise, or any other kinds of sensitive documents; registration for school, for a voters’ card, library card, marriage license, visa,
[1]
Martin Nemzow,et al.
Rethinking Public Key Infrastructures and Digital Certificates and Privacy
,
2001
.
[2]
Marianne Winslett,et al.
Interoperable strategies in automated trust negotiation
,
2001,
CCS '01.
[3]
Amir Herzberg,et al.
Access control meets public key infrastructure, or: assigning roles to strangers
,
2000,
Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.
[4]
Ivan Visconti,et al.
User privacy issues regarding certificates and the TLS protocol: the design and implementation of the SPSL protocol
,
2000,
CCS.
[5]
Pierangela Samarati,et al.
Regulating service access and information release on the Web
,
2000,
CCS.
[6]
Ninghui Li,et al.
Design of a role-based trust-management framework
,
2002,
Proceedings 2002 IEEE Symposium on Security and Privacy.
[7]
Ninghui Li,et al.
Distributed Credential Chain Discovery in Trust Management
,
2003,
J. Comput. Secur..
[8]
Joachim Biskup,et al.
A Hybrid PKI Model: Application to Secure Mediation
,
2002,
DBSec.
[9]
Kent E. Seamons,et al.
Advanced Client/Server Authentication in TLS
,
2002,
NDSS.
[10]
Stefan A. Brands,et al.
Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy
,
2000
.
[11]
Joan Feigenbaum,et al.
The KeyNote Trust-Management System Version 2
,
1999,
RFC.