Academic journal article Journal of Theoretical and Applied Electronic Commerce Research

A Flexible Architecture for Privacy-Aware Trust Management

Academic journal article Journal of Theoretical and Applied Electronic Commerce Research

A Flexible Architecture for Privacy-Aware Trust Management

Article excerpt

Abstract

In service-oriented systems a constellation of services cooperate, sharing potentially sensitive information and responsibilities. Cooperation is only possible if the different participants trust each other. As trust may depend on many different factors, in a flexible framework for Trust Management (TM) trust must be computed by combining different types of information. In this paper we describe the TAS^sup 3^ TM framework which integrates independent TM systems into a single trust decision point. The TM framework supports intricate combinations whilst still remaining easily extensible. It also provides a unified trust evaluation interface to the (authorization framework of the) services. We demonstrate the flexibility of the approach by integrating three distinct TM paradigms: reputation-based TM, credential-based TM, and Key Performance Indicator TM. Finally, we discuss privacy concerns in TM systems and the directions to be taken for the definition of a privacy-friendly TM architecture.

Key words: Trust Management, Security Framework, Reputation-based Trust Management, Credential-based Trust Management, Key Performance Indicator Trust Management

(ProQuest: ... denotes formulae omitted.)

1 Introduction

In service-oriented systems a constellation of services cooperate, sharing potentially sensitive information and responsibilities. For example, service-oriented systems in the employability setting rely heavily on personally identifiable information (PII); e.g. a job seeker's CV needs to be matched with open positions, a worker's career plans need to be linked with suitable trainings, etc. Traditional access control mechanisms are centralized and operate under the assumption that all principals are known by the system. This assumption, however, is not applicable to distributed systems where principals do not know each other a priori

Sharing PII in distributed systems is only possible if the different participants trust each other: the end users need to trust the services providers, but also the service providers have to trust each other. As trust may depend on many different factors, in a flexible framework for Trust Management (TM) trust must be computed by combining different types of information. The aim of the Trusted Architecture for Securely Shared Services (TAS3) project is to build an architecture which enables sharing PII among services in a secure and trustworthy manner. This paper describes the TM framework developed within the TAS3 project.

In TM systems (e.g., [5], [4], [29], [19], [13], [2]), decisions are taken based on statements made by multiple principals. The decision about who can be trusted (e.g., to access a resource) is taken not just by a single principal but by taking into account information from other principals. In this way the decision is, at least partially, delegated to other principals. The form of delegation depends on the relationship with the other principals and the type of trust information that is made available to her.

Existing TM systems compute trust from specific types of trust information. Credential-based TM systems [5], [4], [29] is an approach to distributed access control in which access decisions are based on credentials issued by multiple principals and stored in distributed manner. The credential-based TM service automates the process of determining whether a principal has the necessary credentials to access the requested resources. Using credential-based TM, an employability provider may trust that the job seeker has a MSc degree based on credentials issued by a university. In reputation-based TM (see [13] for an overview), the decision whether to trust a service provider or not depends on the reputation of that provider. The RTM service aggregates feedback given by users into reputation values. Users can define trust policies which refer to the reputation values in order to identify trustworthy service providers. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.