Obligations for Privacy and Confidentiality in Distributed Transactions

Author(s): U.M. Mbanaso, G.S. Cooper, David Chadwick, and Anne Anderson  |  Published date:  Dec, 2007

Abstract:  Existing  access  control  systems  are  typically  unilateral  in  that  the  enterprise  service  provider  assigns  the  access  rights  and  makes  the  access  control decisions, and there is no negotiation between the client and the service provider.  As  access  management  systems  lean  towards  being  user-centric,  unilateral  approaches  can  no  longer  adequately  preserve  the  user’s  privacy,  particularly   where   the   communicating   parties   have   no   pre-existing   trust   relationships.  Establishing  sufficient  trust  is  therefore  essential  before  parties  can exchange sensitive information. This paper describes a bilateral symmetric approach   to   access   control   which   deals   with   privacy   and   confidentiality   simultaneously   in   distributed   transactions.   We   introduce   the   concept   of   Obligation of Trust (OoT) as a privacy assurance mechanism that is built upon the  XACML  standard.  The  OoT  allows  communicating  parties  to  dynamically  exchange their privacy requirements, which we term Notification of Obligations (NOB)   as   well   as   their   committed   obligations,   which   we   term   Signed   Acceptance  of  Obligations  (SAO).  We  describe  some  applicability  of  these  concepts  and  show  how  they  can  be  integrated  into  distributed  access  control  systems for stricter privacy and confidentiality control.

Download pdf