Obligations for privacy and confidentiality in distributed transactions

  • Authors:

  • U. M. Mbanaso;G. S. Cooper;David Chadwick;Anne Anderson

  • Affiliations:

  • Informatics Research Institute, University of Salford, UK;Informatics Research Institute, University of Salford, UK;Computing Laboratory, University of Kent, UK;Sun Microsystems Inc., Burlington, MA

  • Venue:
  • EUC'07 Proceedings of the 2007 conference on Emerging direction in embedded and ubiquitous computing
  • Year:
  • 2007

Quantified Score

Hi-index 0.00

Visualization

Abstract

Existing access control systems are typically unilateral in that the enterprise service provider assigns the access rights and makes the access control decisions, and there is no negotiation between the client and the service provider. As access management systems lean towards being user-centric, unilateral approaches can no longer adequately preserve the user's privacy, particularly where the communicating parties have no pre-existing trust relationships. Establishing sufficient trust is therefore essential before parties can exchange sensitive information. This paper describes a bilateral symmetric approach to access control which deals with privacy and confidentiality simultaneously in distributed transactions. We introduce the concept of Obligation of Trust (OoT) as a privacy assurance mechanism that is built upon the XACML standard. The OoT allows communicating parties to dynamically exchange their privacy requirements, which we term Notification of Obligations (NOB) as well as their committed obligations, which we term Signed Acceptance of Obligations (SAO). We describe some applicability of these concepts and show how they can be integrated into distributed access control systems for stricter privacy and confidentiality control.