and

ISDN SYSTEMS Computer Networks and ISDN Systems 30 ( 199X) 65 I-653

Short Paper

Trust management on the World Wide Web

Abstract

As once-proprietary mission-specific information systems migrate onto the Web. traditional security analysis cannot sufficiently protect each subsystem atomically. The Web encourages open. decentralized systems that span multiple administrative domains. TJIo~ M~~qgerrzerzt is an emerging framework for decentralizin g security decisions that helps developers and others in asking “why” trust is granted rather than immediately focusing on “how” cryptography can enforce it. In this poster. we summarize the implications of Trust Management to future Web applications. c 19UX Puhlishcd hy Elsevier Scicnee B.V. All rights rrservecl.

K~y~wd.s: Security and authoriznion: Protocols: Electronic rights management

1. Trust management and the Web

To date. “Web Security” has been associated with de- bates over cryptographic technology. protocols, and public policy, obscuring the wider challenges of building rnrsretf Web applications. Since the Web aims to be an informa tion space that reflects not just human knowledge but also human relationships. it will soon realize the full complex-

ity of trust relationships among people, computers. and organizations.

Within the computer security community. Trust Man- agement (TM) has emerged as a new philosophy for codifying. analyzing. and managing trust decisions [ I .2]. Asking the question “1s .soJ~rcoJre frusfed to ttrkr SOIIIC UC-

tion 0~7 .\mfe ol?jixtI.’ ” entails understanding the elements ofTM [S]:

016’)-7557/‘JX/P;l’).(K) G 1998 Published by Elsevier Science B.V 1

P/I so I6‘J-7552(9X JO009 I-9

Principles When deciding to trust some principal to take some action on some object. it is absolutely critical to hc .s/zc(fific~ about the privileges granted: to II’KU ~OUKU,!~ when vouchsafing the claim; and to hr crrr-I+/ hefore and after taking that step.

Principals The decision to grant trust is justified by a chain of assertions. There are three kinds of actors making the assertional links based on their particular identity litc- times: /I~,o&, make assertions with broad scope, bound to their long-lived JJ~Jrre.s: c~JJrJ,~J~rrr:v tnake IWI-ow

proofs of correct operation from their limited-scope ~dclru.~~r.s: and o,::,clrli,Llrion.s make assertions about people and computers because they have the widest temporal and legal scope of all. Crdcwtials describe each kind of principal and its relationships. such as membership and delegation.

Policies These are rules about which assertions can be con- bined to yield permission. Broadly speaking. policies can grant authority based on the it/c~r~rir\, of the princi-

pal asking: the c~q~~hi/ir~~ at issue; or an o/?jrc‘f already in hand. In other words. you might he trusted based on II~/IO qr we. bthrt jw~r cw do. or bthcit ~0fr licn~.

Pragmatics Deployins a TM infrastructure across so many adminis- trative boundaries on the open. distributed Web requires adapting to the pu,ymh limitations of the principles. principals. and policies. Since objects can live anywhere on the Web. \o can their security labels. Furthermore. such labels should use a common. machine-readable lilrmat that recursively uses the Web to document its language. The real benefits of TM come from tying all of the\e details together within a single TM engine. This will tlri\,c a handful of standard protocols. formats, and APL for representing principals and policies. In thi\ po<ter. we describe pragmatic details of Weh-

hased TM technology fhr identifying principals. labeling resource\ , and cnt’orcing policies. We sketch how TM might be integrated into Web applications for document authoring and distribution. content tiltering. and mobile code security. And, we measure today’s Weh protocols. servers. and client< against this model.

2. Weaving a Web of trust

WC beliebe that as Web-based applications replace closed information systems, transactions will cross more and more organizational boundaries, often magnifying la- tent flaws in existing trust relationships. For example. consider the U.S. Social Security Administration’s ill- Fdted attempt to put its records on the Web. Each Ameri- can worker has a trust relationship with the SSA regarding his or her pensions. sealed by the “secrecy” of his or her Social Security Number, mother’s maiden name. and birth state. For decades. those were the keys to obtaining one’s Personal Earnings and Benefit Estimate Statement (PEBES). When the exact same interface was reflected on the Web. however. nationwide outrage erupted over the perceived loss of privacy, resulting in a hurried shutdown and “reevaluation” (3 1.

In thi\ case. f&t and easy HTTP access has raised the potential for large-scale abuse not present in the existing postal system. The SSA is ensconced in a trust relation- ship that is not rcpre\ented by a corresponding secret. \o cryptography cannot solve their problem. Computers can alter the equation only by substituting the explicit power 01‘ cryptography for the implicit power of psychology. The iron! is that they Jo share one secret record with each worker: that worker’s earnings history - which is why workers request a PEBES in the first place!

In the end. there will have to be a more secure way ol

accessing such records - perhaps with a digital identity certificate correspondin g to today’s Social Security Card. Such precautions may even strengthen how the “tradi- tional” paper system works. Cryptography can ofI& much stronger proofs than traditional means. so trust relution- ships will tend to be cemented with shared secrets that enable those protocols. such a\ PIN numbers. shared keys. and credentials.

Web puhlishera. administrators. and reader\ u,ill all need infrastructure “to help users decide what to trust on the Web” 141. This poster represents a call to arms to the parties who have a role in bringing this vision to fruition: Web developers

The people and organizations ultimately responyihle f& reducing Web standard formats. protocols, and APIs to practice in software and hardware should he committed to developing Trust Management technologies. They should become engaged in the current standardiTa- lion debates surrounding public key infrastructure (the SPKVSDSI working group at the IETF): digital sigma- tures (in the legislatures and courts. as well as IETF

and W3C): and formats for addins security and trust metadata to the Web (at W3C 1.

Web users Users have the power to persuade developers to t’ol- low this agenda. Weh users should he aware 01‘ the laundry list of trust decisions confronting them every day: whether they are talkinp to the right organization. whether they should run an applet. or M hether the> should allow their children to access :I site.

Application designers The husinesspeople. programmers. and regulator\ rc- sponsihle for creating and controlling new, secure Web applications should use the concepts identified in this poster to identify and control security risks. It is not merely a cryptographer’s problem to uphold the prin- ciples of Trust Management. identify principal\. con- struct policies. and integrate them with the Web. Each participant in application development should think carefully ahout whom s/he i\ trusting. in what roles. to permit \ome action.

Citizens The emegence of the Web as a social phenomenon will even affect people who do not use the Web. As informed citizens. we must consider the impact of automating trust decisions and moving our human bonds into WebSpace. Trust Management tools a/lo~~ communities of people to define their own worldview\ - at what risk of Balkani/ation? If we ail work together. automatable Trust Manaprment

COLIICI indeed weave a World Wide Web of Truxt. spun from the tilaments of our faith in one another.

Acknowledgements

Mr. Khare’s work was sponsored by the Defense Ad- vanced Research Projects Agency and Air Force Research Laboratory, Air Force Materiel Command. USAF, under agreement number F30602-97-2-002 I. He would also like to thank MCI Internet Architecture for its support in this research.

Mr. Ritkin’s work was supported under the Caltech Inti)spheres Project. sponsored by the CISE directorate of the National Science Foundation under Problem Solving Emironments grant CCR-9.527 130 and by the NSF Center for Research on Parallel Computation under Cooperative Agreement Number CCR-9 120008.

References

011 Sucrrri~ tiled Pri~~q. IEEE Computer Society Press. Lob Alumitos. 1996. pp. 164-173. available as a DIMACS Technical Report from ftp://dimacs.rutgers.edu/pub/dimacs/T echnicalReports/TechReports/l996/96- l7.ph.g~

171 E. Brickell. J. Feigenbaum. and D. Maher. in: DIMACS Workshop O/I T~I(.FI Manqernrrzt irz Nrruorks. South Plain- tield. NJ. September 1996. available at http://dimac~.rutgrl-h. cdu/Workshops/Managcment/

131 S. Gartinkel. Few key bits of info open social security records. USA Toclcr!: p. Al. May 12. 1997.

111 R. Khare. DigItal signature label architecture. Wo~-kl Wide Web ./o~rn7rrl. Specirrl lssw on Sucxrig. 7( 3 ): I%h4, Summet 1997.

[S) R. Khnre and A. Ritkin, Weaving a Weh oi trust. Wo&/ Wih Wrh .hrm/. Spxid fssue 011 Sccxr-im, 3(3 I: 77- 1 12. Summer 1997. available at http://www.cs.caltech.edu/-adam /papet+xst.html

1 I ] M. Blale. J. Fcigenbaum. and .I. Lacy. Decentralized trust

manapcment. in: P rocwdingc of’ t/w 1996 /EEE .S~mp~.~iw~~