Publications


Obligations for Privacy and Confidentiality in Distributed Transactions

Author(s): U.M. Mbanaso, G.S. Cooper, David Chadwick, and Anne Anderson  |  Published date:  Dec, 2007

<strong>Abstract:</strong>&nbsp; Existing&nbsp; access&nbsp; control&nbsp; systems&nbsp; are&nbsp; typically&nbsp; unilateral&nbsp; in&nbsp; that&nbsp; the&nbsp; enterprise&nbsp; service&nbsp; provider&nbsp; assigns&nbsp; the&nbsp; access&nbsp; rights&nbsp; and&nbsp; makes&nbsp; the&nbsp; access&nbsp; control decisions, and there is no negotiation between the client and the service provider.&nbsp; As&nbsp; access&nbsp; management&nbsp; systems&nbsp; lean&nbsp; towards&nbsp; being&nbsp; user-centric,&nbsp; unilateral&nbsp; approaches&nbsp; can&nbsp; no&nbsp; longer&nbsp; adequately&nbsp; preserve&nbsp; the&nbsp; user&rsquo;s&nbsp; privacy,&nbsp; particularly&nbsp;&nbsp; where&nbsp;&nbsp; the&nbsp;&nbsp; communicating&nbsp;&nbsp; parties&nbsp;&nbsp; have&nbsp;&nbsp; no&nbsp;&nbsp; pre-existing&nbsp;&nbsp; trust&nbsp;&nbsp; relationships.&nbsp; Establishing&nbsp; sufficient&nbsp; trust&nbsp; is&nbsp; therefore&nbsp; essential&nbsp; before&nbsp; parties&nbsp; can exchange sensitive information. This paper describes a bilateral symmetric approach&nbsp;&nbsp; to&nbsp;&nbsp; access&nbsp;&nbsp; control&nbsp;&nbsp; which&nbsp;&nbsp; deals&nbsp;&nbsp; with&nbsp;&nbsp; privacy&nbsp;&nbsp; and&nbsp;&nbsp; confidentiality&nbsp;&nbsp; simultaneously&nbsp;&nbsp; in&nbsp;&nbsp; distributed&nbsp;&nbsp; transactions.&nbsp;&nbsp; We&nbsp;&nbsp; introduce&nbsp;&nbsp; the&nbsp;&nbsp; concept&nbsp;&nbsp; of&nbsp;&nbsp; Obligation of Trust (OoT) as a privacy assurance mechanism that is built upon the&nbsp; XACML&nbsp; standard.&nbsp; The&nbsp; OoT&nbsp; allows&nbsp; communicating&nbsp; parties&nbsp; to&nbsp; dynamically&nbsp; exchange their privacy requirements, which we term Notification of Obligations (NOB)&nbsp;&nbsp; as&nbsp;&nbsp; well&nbsp;&nbsp; as&nbsp;&nbsp; their&nbsp;&nbsp; committed&nbsp;&nbsp; obligations,&nbsp;&nbsp; which&nbsp;&nbsp; we&nbsp;&nbsp; term&nbsp;&nbsp; Signed&nbsp;&nbsp; Acceptance&nbsp; of&nbsp; Obligations&nbsp; (SAO).&nbsp; We&nbsp; describe&nbsp; some&nbsp; applicability&nbsp; of&nbsp; these&nbsp; concepts&nbsp; and&nbsp; show&nbsp; how&nbsp; they&nbsp; can&nbsp; be&nbsp; integrated&nbsp; into&nbsp; distributed&nbsp; access&nbsp; control&nbsp; systems for stricter privacy and confidentiality control.

Download pdf