16th Annual Computer Security Applications Conference
December 11-15, 2000
New Orleans, Louisiana
Using Attribute Certificates with Mobile Policies in Electronic Commerce Applications
Vinti Doshi,
Amgad Fayad,
Sushil Jajodia &
Roswitha McLean
The MITRE Corporation
USA
Many electronic commerce applications, including those developed for
business-to-consumer (B2C) and business-to-business (B2B) uses, require
operations in computing environments that are truly distributed. That
is, users can request data access from multiple locations within a
distributed computing system. To complicate this type of operation,
however, data can be distributed and represented in multiple forms. As
a result, system administrators are encountering increasing difficulty
in developing and managing application-specific policies for users and
data. A multi-tier (N-tier) architecture can provide a powerful
solution for meeting the diverse needs of the electronic commerce
applications. However, a drawback to multi-tier architectures is that
they require that a user's credentials and the policy-to-data mapping
context must be available in the middle tier of the system architecture.
This paper addresses the management of users and data by presenting a
framework for combining attribute certificates with mobile policy for
effective application-specific control specification and administration
in a distributed computing environment. Attribute certificates provide
mobility to credentials and also provide fine-grained information about
security principals. Mobile policy allows application-specific policies
to move along with the data to other elements of the distributed
computing system. Herein we propose a high-level definition language to
specify policies that are application-specific and mobile, and present
an algorithm for enforcing attribute-based mobile policies.
Read Paper (in PDF)