Skip to main content

Research Repository

Advanced Search

Obligations of trust for privacy and confidentiality in distributed transactions

Mbanaso, UM; Cooper, GS; Chadwick, DM; Anderson, A

Authors

UM Mbanaso

GS Cooper

DM Chadwick

A Anderson



Abstract

Purpose – This paper aims to describe a bilateral symmetric approach to authorization, privacy protection and obligation enforcement in distributed transactions. The authors introduce the concept of the obligation of trust (OoT) protocol as a privacy assurance and authorization mechanism that is built upon the XACML standard. The OoT allows two communicating parties to dynamically exchange their privacy and authorization requirements and capabilities, which the authors term a notification of obligation (NoB), as well as their commitments to fulfilling each other's requirements, which the authors term signed acceptance of obligations (SAO). The authors seek to describe some applicability of these concepts and to show how they can be integrated into distributed authorization systems for stricter privacy and confidentiality control.
Design/methodology/approach – Existing access control and privacy protection systems are typically unilateral and provider-centric, in that the enterprise service provider assigns the access rights, makes the access control decisions, and determines the privacy policy. There is no negotiation between the client and the service provider about which access control or privacy policy to use. The authors adopt a symmetric, more user-centric approach to privacy protection and authorization, which treats the client and service provider as peers, in which both can stipulate their requirements and capabilities, and hence negotiate terms which are equally acceptable to both parties.
Findings – The authors demonstrate how the obligation of trust protocol can be used in a number of different scenarios to improve upon the mechanisms that are currently available today.
Practical implications – This approach will serve to increase trust in distributed transactions since each communicating party receives a difficult to repudiate digitally signed acceptance of obligations, in a standard language (XACML), which can be automatically enforced by their respective computing machinery.
Originality/value – The paper adds to current research in trust negotiation, privacy protection and authorization by combining all three together into one set of standardized protocols. Furthermore, by providing hard to repudiate signed acceptance of obligations messages, this strengthens the legal case of the injured party should a dispute arise.

Citation

Mbanaso, U., Cooper, G., Chadwick, D., & Anderson, A. (2009). Obligations of trust for privacy and confidentiality in distributed transactions. Internet Research, 19(2), 153-173. https://doi.org/10.1108/10662240910952328

Journal Article Type Article
Publication Date Jan 1, 2009
Deposit Date Apr 28, 2009
Publicly Available Date Apr 28, 2009
Journal Internet Research
Print ISSN 1066-2243
Publisher Emerald
Peer Reviewed Peer Reviewed
Volume 19
Issue 2
Pages 153-173
DOI https://doi.org/10.1108/10662240910952328
Keywords Data security, distributed parameter control systems, privacy, trust, XACML, obligations, trust negotiation, SAML, authorization
Publisher URL http://dx.doi.org/10.1108/10662240910952328
Related Public URLs http://www.emeraldinsight.com/Insight/menuNavigation.do;jsessionid=F575C9A1174439AFB54E9B6D088A818B?hdAction=InsightHome
http://www.emeraldinsight.com/Insight/viewContainer.do?containerType=Journal&containerId=11229
Additional Information References : 1. Anderson, A. (2007), "Web services profile of XACML (WS-XACML) version 1.0" 2. Bertino, E., Ferrari, E., Squicciarini, A. (2004), "Trust negotiations: concepts, systems and languages", Computing in Science and Engineering, Vol.6, No. 4, pp 27-34 3. Bertino, E.F.E., Squicciarini, A. (2003), "X-TNL: an XML-based language for trust negotiations", pp 81-4 4. CA/Browser Forum (2008), "Guidelines for the issuance and management of extended validation certificates" 5. Liberty Alliance Project (2006), "Liberty ID-WSF web services framework overview version: 2.0" 6. Mbanaso, U., Cooper, G.S., Chadwick, D.W., Proctor, S. (2006), "Privacy preserving trust authorization using XACML", pp 673-8 7. Morgan, R.L., Cantor, S., Carmody, S., Hoehn, W., Klingenstein, K. (2004), "Federated security: the shibboleth approach", Educause Quarterly, Vol.27, No. 4 8. OASIS (2005a), "Security Assertion Markup Language (SAML) V2.0" 9. OASIS (2005b), "eXtensible Access Control Markup Language (XACML) Version 2.0" 10. OASIS (2006), "Web services security: SOAP message security 1.1 (WS-Security 2004)" 11. OASIS (2007), "WS-Trust 1.3, OASIS standard" 12. OECD (2000), "Fair information practices in the electronic marketplace: a report to congress" 13. Pau, L.-F. (2006), "Privacy negotiation and implications on implementations" 14. Preibusch, S. (2006), "Privacy negotiations with P3P" 15. Seamons, K.E., Ryutov, T., Zhou, L., Neuman, C., Leithead, T. (2005), "Adaptive trust negotiation and access control", pp 139-46 16. Seamons, K.E., Winslett, M., Yu, T., Yu, L., Jarvis, R. (2003), "Protecting privacy during on-line trust negotiation", pp 249-53 17. Skogsrud, H., Benatallah, B., Casati, F. (2004), "A trust negotiation system for digital library web services", International Journal on Digital Libraries, Vol.4, No. 3, pp 185-207 18. Spantzel, A.B., Squicciarini, A.C., Bertino, E. (2007), "Trust negotiation in identity management", IEEE Security and Privacy, Vol.5, No. 2, pp 55-63 19. University of Salford (2006), "Schema for obligation of trust (OoT)" 20. W3C (2002a), "A P3P preference exchange language 1.0 (APPEL1.0)" 21. W3C (2002b), "The platform for privacy preferences 1.0 (P3P1.0) specification" 22. W3C (2007), "Web services policy 1.5 – Framework (WS-Policy)" 23. Winsborough, W.H., Li, N. (2002), "Towards practical automated trust negotiation", pp 92-103 24. Winsborough, W.H., Ninghui, L. (2002), "Protecting sensitive attributes in automated trust negotiation", pp 41-51

Files

Obligation_for_Privacy_and_Confidentiality_in_Distributed_Systems-journal-final.pdf (656 Kb)
PDF

Version
Author version






Downloadable Citations