As once-proprietary mission-specific information systems migrate onto the Web, traditional security analysis cannot sufficiently protect each subsystem atomically. The Web encourages open, decentralized systems that span multiple administrative domains. Trust Management is an emerging framework for decentralizing security decisions that helps developers and others in asking "why" trust is granted rather than immediately focusing on "how" cryptography can enforce it. In this poster, we summarize the implications of Trust Management to future Web applications.
Keywords: Security and Authorization, Protocols, Electronic Rights Management.
To date, "Web Security" has been associated with debates over cryptographic technology, protocols, and public policy, obscuring the wider challenges of building trusted Web applications. Since the Web aims to be an information space that reflects not just human knowledge but also human relationships, it will soon realize the full complexity of trust relationships among people, computers, and organizations.
Within the computer security community, Trust Management (TM) has emerged as a new philosophy for codifying, analyzing, and managing trust decisions [Blaze et al., 1996; Brickell et al., 1996]. Asking the question "Is someone trusted to take some action on some object?" entails understanding the elements of TM [Khare and Rifkin, 1997]:
In this poster, we describe pragmatic details of Web-based TM technology for identifying principals, labeling resources, and enforcing policies. We sketch how TM might be integrated into Web applications for document authoring and distribution, content filtering, and mobile code security. And, we measure today's Web protocols, servers, and clients against this model.
We believe that as Web-based applications replace closed information systems, transactions will cross more and more organizational boundaries, often magnifying latent flaws in existing trust relationships. For example, consider the U.S. Social Security Administration's ill-fated attempt to put its records on the Web. Each American worker has a trust relationship with the SSA regarding his or her pensions, sealed by the "secrecy" of his or her Social Security Number, mother's maiden name, and birth state. For decades, those were the keys to obtaining one's Personal Earnings and Benefit Estimate Statement (PEBES). When the exact same interface was reflected on the Web, however, nationwide outrage erupted over the perceived loss of privacy, resulting in a hurried shutdown and "reevaluation" [Garfinkel, 1997].
In this case, fast and easy HTTP access has raised the potential for large-scale abuse not present in the existing postal system. The SSA is ensconced in a trust relationship that is not represented by a corresponding secret, so cryptography cannot solve their problem. Computers can alter the equation only by substituting the explicit power of cryptography for the implicit power of psychology. The irony is that they do share one secret record with each worker: that worker's earnings history -- which is why workers request a PEBES in the first place!
In the end, there will have to be a more secure way of accessing such records -- perhaps with a digital identity certificate corresponding to today's Social Security Card. Such precautions may even strengthen how the "traditional" paper system works. Cryptography can offer much stronger proofs than traditional means, so trust relationships will tend to be cemented with shared secrets that enable those protocols, such as PIN numbers, shared keys, and credentials.
Web publishers, administrators, and readers will all need infrastructure "to help users decide what to trust on the Web" [Khare, 1997]. This poster represents a call to arms to the parties who have a role in bringing this vision to fruition:
If we all work together, automatable Trust Management could indeed weave a World Wide Web of Trust, spun from the filaments of our faith in one another.
Mr. Khare's work was sponsored by the Defense Advanced Research Projects Agency and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-97-2-0021. He would also like to thank MCI Internet Architecture for its support in this research.
Mr. Rifkin's work was supported under the Caltech Infospheres Project, sponsored by the CISE directorate of the National Science Foundation under Problem Solving Environments grant CCR-9527130 and by the NSF Center for Research on Parallel Computation under Cooperative Agreement Number CCR-9120008.