Using attribute certificates with mobile policies in electronic commerce applications

  • Authors:
  • V. Doshi;A. Fayad;S. Jajodia;R. MacLean

  • Affiliations:
  • -;-;-;-

  • Venue:
  • ACSAC '00 Proceedings of the 16th Annual Computer Security Applications Conference
  • Year:
  • 2000

Quantified Score

Hi-index 0.00

Visualization

Abstract

Many electronic commerce applications, including those developed for business-to-consumer (B2C) and business-to-business (B2B) uses, require operations in computing environments that are truly distributed. That is, users can request data access from multiple locations within a distributed computing system. To complicate this type of operation, however, data can be distributed and represented in multiple forms. As a result, system administrators are encountering increasing difficulty in developing and managing application-specific policies for users and data. A multi-tier (N-tier) architecture can provide a powerful solution for meeting the diverse needs of the electronic commerce applications. However, a drawback to multi-tier architectures is that they require that a user's credentials and the policy-to-data mapping context must be available in the middle tier of the system architecture. This paper addresses the management of users and data by presenting a framework for combining attribute certificates with a mobile policy for effective application-specific control specification and administration in a distributed computing environment. Attribute certificates provide mobility to credentials and also provide fine-grained information about security principles. A mobile policy allows application-specific policies to move along with the data to other elements of the distributed computing system. We propose a high-level definition language to specify policies that are application-specific and mobile, and present an algorithm for enforcing attribute-based mobile policies.