Trust management on the World Wide Web

Abstract

As once-proprietary mission-specific information systems migrate onto the Web, traditional security analysis cannot sufficiently protect each subsystem atomically. The Web encourages open, decentralized systems that span multiple administrative domains. Trust Management is an emerging framework for decentralizing security decisions that helps developers and others in asking "why" trust is granted rather than immediately focusing on "how" cryptography can enforce it. In this poster, we summarize the implications of Trust Management to future Web applications.

Keywords

Security and authorization; Protocols; Electronic rights management

1. Trust management and the Web

To date, "Web Security" has been associated with debates over cryptographic technology, protocols, and public policy, obscuring the wider challenges of building trusted Web applications. Since the Web aims to be an information space that reflects not just human knowledge but also human relationships, it will soon realize the full complexity of trust relationships among people, computers, and organizations.

Within the computer security community, Trust Management (TM) has emerged as a new philosophy for codifying, analyzing, and managing trust decisions [1,2]. Asking the question "Is someone trusted to take some action on some object?" entails understanding the elements of TM [5]:

Principles

When deciding to trust some principal to take some action on some object, it is absolutely critical to be specific about the privileges granted; to trust yourself when vouchsafing the claim; and to be careful before and after taking that step.

Principals

The decision to grant trust is justified by a chain of assertions. There are three kinds of actors making the assertional links based on their particular identity lifetimes: people make assertions with broad scope, bound to their long-lived names; computers make narrow proofs of correct operation from their limited-scope addresses; and organizations make assertions about people and computers because they have the widest temporal and legal scope of all. Credentials describe each kind of principal and its relationships, such as membership and delegation.

Policies

These are rules about which assertions can be combined to yield permission. Broadly speaking, policies can grant authority based on the identity of the principal asking; the capability at issue; or an object already in hand. In other words, you might be trusted based on who you are, what you can do, or what you have.

Pragmatics

Deploying a TM infrastructure across so many administrative boundaries on the open, distributed Web requires adapting to the pragmatic limitations of the principles, principals, and policies. Since objects can live anywhere on the Web, so can their security labels. Furthermore, such labels should use a common, machine-readable format that recursively uses the Web to document its language. The real benefits of TM come from tying all of these details together within a single TM engine. This will drive a handful of standard protocols, formats, and APIs for representing principals and policies.

In this poster, we describe pragmatic details of Web-based TM technology for identifying principals, labeling resources, and enforcing policies. We sketch how TM might be integrated into Web applications for document authoring and distribution, content filtering, and mobile code security. And, we measure today's Web protocols, servers, and clients against this model.

2. Weaving a Web of trust

We believe that as Web-based applications replace closed information systems, transactions will cross more and more organizational boundaries, often magnifying latent flaws in existing trust relationships. For example, consider the U.S. Social Security Administration's ill-fated attempt to put its records on the Web. Each American worker has a trust relationship with the SSA regarding his or her pensions, sealed by the "secrecy" of his or her Social Security Number, mother's maiden name, and birth state. For decades, those were the keys to obtaining one's Personal Earnings and Benefit Estimate Statement (PEBES). When the exact same interface was reflected on the Web, however, nationwide outrage erupted over the perceived loss of privacy, resulting in a hurried shutdown and "reevaluation" [3].

In this case, fast and easy HTTP access has raised the potential for large-scale abuse not present in the existing postal system. The SSA is ensconced in a trust relationship that is not represented by a corresponding secret, so cryptography cannot solve their problem. Computers can alter the equation only by substituting the explicit power of cryptography for the implicit power of psychology. The irony is that they do share one secret record with each worker: that worker's earnings history — which is why workers request a PEBES in the first place!

In the end, there will have to be a more secure way of accessing such records — perhaps with a digital identity certificate corresponding to today's Social Security Card. Such precautions may even strengthen how the "traditional" paper system works. Cryptography can offer much stronger proofs than traditional means, so trust relationships will tend to be cemented with shared secrets that enable those protocols, such as PIN numbers, shared keys, and credentials.

Web publishers, administrators, and readers will all need infrastructure "to help users decide what to trust on the Web" [4]. This poster represents a call to arms to the parties who have a role in bringing this vision to fruition:

Web developers

The people and organizations ultimately responsible for reducing Web standard formats, protocols, and APIs to practice in software and hardware should be committed to developing Trust Management technologies. They should become engaged in the current standardization debates surrounding public key infrastructure (the SPKI/SDSI working group at the IETF); digital signatures (in the legislatures and courts, as well as IETF and W3C); and formats for adding security and trust metadata to the Web (at W3C).

Web users

Users have the power to persuade developers to follow this agenda. Web users should be aware of the laundry list of trust decisions confronting them every day: whether they are talking to the right organization, whether they should run an applet, or whether they should allow their children to access a site.

Application designers

The businesspeople, programmers, and regulators responsible for creating and controlling new, secure Web applications should use the concepts identified in this poster to identify and control security risks. It is not merely a cryptographer's problem to uphold the principles of Trust Management, identify principals, construct policies, and integrate them with the Web. Each participant in application development should think carefully about whom s/he is trusting, in what roles, to permit some action.

Citizens

The emergence of the Web as a social phenomenon will even affect people who do not use the Web. As informed citizens, we must consider the impact of automating trust decisions and moving our human bonds into WebSpace. Trust Management tools allow communities of people to define their own worldviews — at what risk of Balkanization?

If we all work together, automatable Trust Management could indeed weave a World Wide Web of Trust, spun from the filaments of our faith in one another.

Acknowledgements

Mr. Khare's work was sponsored by the Defense Advanced Research Projects Agency and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-97-2-0021. He would also like to thank MCI Internet Architecture for its support in this research.

Mr. Rifkin's work was supported under the Caltech Infospheres Project, sponsored by the CISE directorate of the National Science Foundation under Problem Solving Environments grant CCR-9527130 and by the NSF Center for Research on Parallel Computation under Cooperative Agreement Number CCR-9120008.

References

1. [1] M. Blaze, J. Feigenbaum, and J. Lacy, Decentralized trust management, in: Proceedings of the 1996 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, 1996, pp. 164–173, available as a DIMACS Technical Report from ftp://dimacs.rutgers.edu/pub/dimacs/TechnicalReports/TechReports/1996/96-17.ps.gz
2. [2] E. Brickell, J. Feigenbaum, and D. Maher, in: DIMACS Workshop on Trust Management in Networks, South Plainfield, NJ, September 1996, available at http://dimacs.rutgers.edu/Workshops/Management/
3. [3] S. Garfinkel, Few key bits of info open social security records, USA Today, p. A1, May 12, 1997.
4. [4] R. Khare, Digital signature label architecture, World Wide Web Journal Special Issue on Security, 2(3): 49–64, Summer 1997.
5. [5] R. Khare and A. Rifkin, Weaving a Web of trust, World Wide Web Journal Special Issue on Security, 2(3): 77–112, Summer 1997, available at http://www.cs.caltech.edu/~adam/papers/trust.html