Using attribute certificates with mobile policies in electronic commerce applications

Many electronic commerce applications, including those developed for business-to-consumer (B2C) and business-to-business (B2B) uses, require operations in computing environments that are truly distributed. That is, users can request data access from multiple locations within a distributed computing system. To complicate this type of operation, however, data can be distributed and represented in multiple forms. As a result, system administrators are encountering increasing difficulty in developing and managing application-specific policies for users and data. A multi-tier (N-tier) architecture can provide a powerful solution for meeting the diverse needs of the electronic commerce applications. However, a drawback to multi-tier architectures is that they require that a user's credentials and the policy-to-data mapping context must be available in the middle tier of the system architecture. This paper addresses the management of users and data by presenting a framework for combining attribute certificates with a mobile policy for effective application-specific control specification and administration in a distributed computing environment. Attribute certificates provide mobility to credentials and also provide fine-grained information about security principles. A mobile policy allows application-specific policies to move along with the data to other elements of the distributed computing system. We propose a high-level definition language to specify policies that are application-specific and mobile, and present an algorithm for enforcing attribute-based mobile policies.

[1]  Elisa Bertino,et al.  Supporting multiple access control policies in database systems , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[2]  Sushil Jajodia,et al.  Provisional Authorizations , 2001, E-Commerce Security and Privacy.

[3]  Sushil Jajodia,et al.  Maintaining Replicated Authorizations in Distributed Database Systems , 1996, Data Knowl. Eng..

[4]  Mary Ellen Zurko,et al.  A user-centered, modular authorization service built on an RBAC foundation , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[5]  LouAnna Notargiacomo,et al.  Beyond the pale of MAC and DAC-defining new forms of access control , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[7]  Elisa Bertino,et al.  A unified framework for enforcing multiple access control policies , 1997, SIGMOD '97.

[8]  Sushil Jajodia,et al.  Distributed Policies for Data Management - Making Policies Mobile , 2000, DBSec.

[9]  Elisa Bertino,et al.  An Extended Authorization Model for Relational Databases , 1997, IEEE Trans. Knowl. Data Eng..

[10]  C. V. Ramamoorthy,et al.  Knowledge and Data Engineering , 1989, IEEE Trans. Knowl. Data Eng..

[11]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.