An access control model for dynamic client-side content

Authors:
Adam Hess;Kent E. Seamons
Affiliations:
Brigham Young University, Provo, UT;Brigham Young University, Provo, UT
Venue:
Proceedings of the eighth ACM symposium on Access control models and technologies
Year:
2003

Citing 13
Cited 1

A fuzzy document retrieval system using the keyword connection matrix and a learning method

Fuzzy Sets and Systems - Special issue on applications of fuzzy systems theory, Iizuka '88
Role-Based Access Control Models

Computer
Computer Evaluation of Indexing and Text Processing

Journal of the ACM (JACM)
Regulating service access and information release on the Web

Proceedings of the 7th ACM conference on Computer and communications security
SSL and TLS: designing and building secure systems

SSL and TLS: designing and building secure systems
On specifying security policies for web documents with an XML-based language

SACMAT '01 Proceedings of the sixth ACM symposium on Access control models and technologies
ACM SIGAda Ada Letters

ACM SIGAda Ada Letters
Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation

ACM Transactions on Information and System Security (TISSEC)
Negotiating Trust on the Web

IEEE Internet Computing
Binding identities and attributes using digitally signed certificates

ACSAC '00 Proceedings of the 16th Annual Computer Security Applications Conference
Requirements for Policy Languages for Trust Negotiation

POLICY '02 Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02)
Towards Practical Automated Trust Negotiation

POLICY '02 Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02)
Access Control Meets Public Key Infrastructure, Or: Assigning Roles to Strangers

SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy

An introduction to trust negotiation

iTrust'03 Proceedings of the 1st international conference on Trust management

Quantified Score

Hi-index	0.00

Visualization

Abstract

The focus of access control in client/server environments is on protecting sensitive server resources by determining whether or not a client is authorized to access those resources. The set of resources are usually static, and an access control policy associated with each resource specifies who is authorized to access the resource. In this paper, we turn the traditional client/server access control model on its head, and address how to protect the sensitive content that clients disclose to servers. Since client content is dynamically generated at runtime, the usual approach of associating a policy with the resource (content) a priori does not work. In this paper, we propose an access control model for protecting client-side content that is dynamically generated and disclosed at runtime. Our model identifies sensitive content, maps the sensitive content to an access control policy, and establishes the trustworthiness of the server before disclosing the sensitive content to the server. The model targets open systems, where clients and servers do not have preexisting trust relationships. We have implemented the model within TrustBuilder, an architecture for negotiating trust between strangers based on properties other than identity. The implementation is the first example of content-triggered trust negotiation and currently supports access control for sensitive content disclosed by web and email clients.