M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized Trust Management. In Proc. of the 17th Symposium on Security and Privacy, pages 164-173. IEEE Computer Society Press, Los Alamitos, 1996.

Presenter: Tony Wu

This paper introduced the first example of a “trust-management engine” which is called PolicyMaker .

The old mechanism is like this:

The PolicyMaker’s approach is like this:

Traditional public key certificate

Name/Identity

Authorization

Trust manageme

nt credential

Authorization

Information found

on certificat

e

External lookup

Information found

on credentia

l

“...The problem of reliably mapping names to the actions they are trusted to perform can represent as much of a security risk as the problem of mapping public keys to names, yet the certificate do not help the application map names to actions...”

Novelty: the trust management problem has not previously been identified as a general problem and studied in its own right.

Usability: Secure Email system. Anonymous electronic voting system.

Non-obvious: The PolicyMaker engine is very complex. There are lots of mathematical details for the compliance checking.

“...PolicyMaker departs sharply from certificate-based security system centred on the binding of identities to keys in that it allows requested of secure services to prove directly that they hold credentials that authorize them to use those services...”

The authors didn’t provide any comprehensive diagrams to show the idea.

UserAuthenticat

orAuthoriser

UserID

Requests

Yes/No

User

Verifier

PolicyMaker EngineQuery

Yes/No

Local Policy

PolicyMaker is unable to handle dynamic form of trust.

Systems change and evolve so there is a need to monitor trust relationships to determine whether the criteria on which they are based still apply. This could also involve the process of keeping track of the activities of the trustee and of determining the necessary action needed when the trustee violates the trustor’s trust.

It should cover monitoring and re-evaluation of trust.

Where should the boundaries be drawn between a trust-management system and the application use it? For example, should credential-fetching and digital signature verification be the responsibility of the trust-management system or the calling application?