A survey of trust in internet applications
Summary (6 min read)
1 MOTIVATION
- Internet services are increasingly being used in daily life for electronic commerce, web-based access to information and inter-personal interactions via electronic mail rather than voice or faceto-face, but there is still major concern about the trustworthiness of these services.
- There are no accepted techniques or tools for specification and reasoning about the trust.
- There is a need for a high-level, abstract way of specifying and managing trust, which can be easily integrated into applications and used on any platform.
- Customers must trust that sellers will provide the services they advertise, and will not disclose private customer information (name, address, credit card details, purchases etc.).
- The level of trust has an approximate inverse relationship to the degree of risk with respect to a service or an e-commerce transaction [21] [22] [23] , but there has been very little work on using risk management frameworks for trust management or on the analysis of the exact relationship between risk and trust.
2 DEFINING TRUST
- There is no consensus in the literature on what trust is and on what constitutes trust management [21, 23] , though many research scientists recognise its importance [24, 25] .
- Competence is a better term than strength for the environment related to services and computing system, i.e. an entity should be capable of performing the functions expected of it or the service it is meant to provide correctly and within reasonable timescales.
- If I develop a trust relationship with a particular student, I may authorise him to install software on my computer and hence set up the necessary access control rights to permit access.
- Anonymous authorisation can be implemented using capabilities or certificates [28] .
- The authors define trust as "the firm belief in the competence of an entity to act dependably, securely and reliably within a specified context" (assuming dependability covers reliability and timeliness).
3 PROPERTIES OF TRUST RELATIONSHIPS
- A person is only trusted to deal with financial transactions less than $2000 in value.
- Examples include protecting files from accidental deletion or mechanisms to prevent a person driving a car when under the influence of alcohol.
- There have been suggestions that trust relationships should not be transitive [23] , however, some trust scenarios do exhibit transitivity.
- Some systems support arithmetic operations on trust recommendations so numeric quantification is more appropriate.
- Jøsang's Opinion Model, based on subjective logic, may be a suitable technique for assigning trust values in the face of uncertainty [31] [32] [33] [34] .
4.1 Access to a Trustor's Resources
- Abrams and Joyce [35] highlight the fact that resource access trust has been the focus for security specialists for many decades, although the emphasis has mostly been on mechanisms supporting access control.
- Simple file access requires that the trustee will follow the correct protocol, will not divulge information read, and will write only correct data etc.
- The code is expected not to damage the trustor's resources, to terminate within reasonable finite time and not to exceed some defined resource limits with respect to memory, processor time, local file space etc.
- In [35, 36] , the authors implicitly map trust decisions to access control decisions.
- Generally, resource access trust can form the basis for specifying authorisation policy, which then is implemented using operating system or database access control mechanisms, firewall rules etc.
Examples of Resource Access Trust
- Third year and above students are trusted to use the parallel processing service.
- These rather abstract specifications of trust and distrust would need to be refined into specific authorisations policies that define permitted operations to specific resources.
4.2 Provision of Service by the Trustee
- The trustor trusts the trustee to provide a service that does not involve access to the trustor's resources.
- Note this may not be true of many services such as web services that download applets and cookies, and so do require access to resources owned by the trustor.
- Service bureaux and application service providers (ASPs) [38] [39] [40] are prime examples of entities that would require service provision trust to be established.
- Mobile code and mobile agent based applications obviously must trust the execution environment provided by the remote system (provision of service trust) but the execution environment should not be damaged by the mobile code (access to resources trust).
Examples of Service Provision Trust
- I trust a film recommendation service to only recommend films that are not pornographic.
- A trustor's trust in the competence of the trustee's ability to provide a service differs from confidence trust in that, confidence applies to entities the trustor will use and competence applies to entities that perform some action on behalf of the trustor.
- The vendor or bank is also trusted to maintain the privacy of any information such as name, address and credit card details, which it holds about the customer.
- I trust the newsagent to email me an electronic newspaper every morning before 8am.
4.3 Certification of Trustees
- This may imply competence if the identity is a well-known organisation.
- Professional certification is a common technique used to indicate competence in the medical world, commerce and engineering so could be applied to Internet services [23] .
Trustee Certification Examples
- I will only use downloaded software updates, which have Microsoft certificates.
- Note that the certification authority is in fact providing a trust certification service so this is a special form of service provision trust but involves a third party in establishing the trust.
- There are many papers discussing this specific form of trust service, which is the reason the authors define it as a separate classification.
4.4 Delegation
- Ding and Peterson [52] illustrate a novel way of implementing delegation, with hierarchical delegation tokens.
- They propose a classification of delegation schemes, with appropriate protocols, which they analyse, based on efficiency, and compare with related work.
- The ideas they express represent lower-level mappings from their concept of delegation in that they concentrate on access control.
4.5 Infrastructure Trust
- He should be able to trust his workstation, local network and local servers, which may implement security or other services in order to protect his infrastructure.
- The culmination of this work was the U.S. Department of Defense specification for a set of resources, known as the Trusted Computing Base (TCB) [53] that had to be trusted by all applications executing on a machine to support the required security policy.
- The TCB can be viewed as the set of hardware, firmware and software elements, which are used to implement the reference validation mechanism i.e. the "validation of each reference to data or programs by any user (or program) against a list of authorized types of reference for that user".
- It was aimed more at centralised systems implementing information labelling and preventing information flow to unauthorised users, rather than commercial or networked systems.
Infrastructure Trust Examples
- I trust hardware that has been certified by the Trusted PC Computer Base Certification Board. .
- The PC's application software trusts the operating system.
5 TRUST MANAGEMENT
- Current solutions do not address this problem of trust changing with time.
- Additionally, these systems unconditionally accept credentials offered by the trustee and then decide what the is permitted to do.
- Even though there may be a relationship between the trustor and trustee, the trustee may wish to function in some other capacity than previously agreed upon.
- Systems change and evolve so there is a need to monitor trust relationships to determine whether the criteria on which they are based still apply.
6.1 Public Key Certificates
- The certification authority does not vouch for the trustworthiness of the key owner, but simply authenticates the owner's identity.
- This is necessary to establish a resource access or service provision trust relationship and may implicitly reduce the trustor's risk in dealing with the trustee [23] .
- The PGP trust model [47] is used for authentication relating to electronic mail type of applications between human users.
- An introducer is an entity that signs someone else's public key (and thus vouches for a name-public key binding).
- Each entity must have a certificate that is signed by the central certification authority or another authority, which has been directly or indirectly certified by it.
6.2 Platform for Content Selection (PICS)
- PICS was developed by the World Wide Web Consortium (W3C) as a solution to the problem of protecting children from pornography on the Internet without infringing on one's right to freedom of speech.
- A PICS-compliant application should be able to read PICS labels and use the user-defined filtering rules to decide whether to accept or reject the document.
- The URL in the rating-service clause identifies the document with the human-readable description of the rating service.
- In the above example, the name clause defines a human readable name for the rule and a description.
- The other clauses reject pages from two sites, accept good plays, allow educational documents, reject documents with too much violence (unless they are educational), block any page with too many graphics (with the exceptional of educational documents) and allow all other pages.
6.3 AT& T PolicyMaker and KeyNote
- Traditional certificate frameworks such as PGP and X.509 do not bind access rights to the owner of the public key within the certificate framework.
- The inputs to the PolicyMaker interpreter are the local policy, the received credentials and an action string (which specifies the actions that the public key wants to perform).
- A credential is a signed trust assertion made by other entities and the signatures must be verified before the credentials can be used.
- Filter programs take as input, the current action string and the environment, which contains information about the current context (e.g. date, time, application name, etc.).
- The name of the language is given in assertions and must be known by anyone who needs to use the assertion.
policy
- ASSERTS doctor_key WHERE filter that allows check-up if the field is not plastic surgery For Policymaker to make a decision there must be at least one policy in the input supplied to it from the trust base.
- The following credential states that the BMA asserts that the person with key "0x12345abcd" is not a plastic surgeon.
- It is important to note that assertions can modify the action strings that they accept, through the use of Annotations.
- Annotations are essentially a mechanism for communication between assertions (inter-assertion communication), as well as communication between the application and the credentials.
- This allows PolicyMaker to append conditions to the action strings, if necessary.
key1, key2, key3, ……… REQUESTS ActionString
- Action strings are generated and interpreted by the calling applications.
- In summary, an application gives the PolicyMaker engine, a (set of) requested action(s), a set of credentials and a policy and the engine tries to prove that the credentials contain a proof that the requested action(s) complies with the policy.
- A simple, lightweight assertion language with no loops or recursion is used in order to enforce resource usage restrictions, to allow the assertions to be easily understood by humans and easily refined from high-level languages, etc. [56] .
- The current implementation of the KeyNote Toolkit is written in C. Neither system addresses the problem of how to discover that credentials are missing, and neither system supports negative assertions.
- The authors claimed that both these systems are a more general solution to the trust management problem than public-key certificates.
6.4 Rule-controlled Environment For Evaluation of Rules and Everything Else (REFEREE)
- REFEREE is a trust management system for making access decisions relating to Web documents developed by Yang-Hua Chu based on PolicyMaker [41, 42] .
- All statements are "two element s-expressions", similar to attribute value pairs.
- REFEREE runs the module's interpreter with the policy and list of arguments, which may result in other modules being invoked, then returns an answer to the host application.
- The following policies highlight some features of this language.
STATEMENT-LIST )
- This policy states that labels from the MIT and CMU bureaus should be used and only pages with labels that state that the document has been thoroughly checked for viruses can be downloaded.
- For this example, the invoke clause runs the load label module, which loads the labels from the bureaus.
- The match clause searches all the labels for the pattern described.
6.5 IBM Trust Establishment Framework
- IBM views trust establishment as the enabling component of E-Commerce [62] .
- Their system is similar to PolicyMaker, but permits negative rules preventing access.
- The Trust Establishment module validates the client's certificate and then maps the certificate owner to a role.
- The following example is taken from [63] .
</POLICY>
- The first group defined is the originating retailer.
- Then, it is stated that entities that have partner certificates, signed by the original retailer, are placed in the group partners.
- The group department is defined as any user having a partner certificate signed by the partners group.
- Finally, the customer group consists of anyone that has an employee certificate signed by a member of the departments group who has a rank greater than 3.
- After the Trust Establishment module has determined that an entity can be assigned to a particular role, it then sends this information to another module, which stipulates the access rights that are bound to the particular role.
6.6 Logic-Based Formalisms of Trust
- Trust involves specifying and reasoning about beliefs.
- The Authorization Specification Language (ASL) by Jajodi, Samarati and Subrahmanian [66] is used to specify authorization rules and makes explicit the need for the separation of policies and mechanisms.
- They adopt the relevant axiomatic schemas into their formalism and use their composite language to model various trust scenarios.
- His model consists of simple trust statements (for example B i p, which means "agent i believes proposition p") and properties such as transitivity, Euclidean property, etc. are defined.
7 APPLICATIONS OF TRUST MANAGEMENT
- Most of the literature relating to trust applications really discusses security requirements relating to authentication, confidentially, data-integrity or non-repudiation rather than trust as the authors defined it.
- The authors have selected a few application domains that highlight some specific trust management requirements.
7.1 Medical Information Systems
- Medicine has many sub-disciplines each with its own set of trust issues but based on a sound ethical foundation.
- There are three major problems with emerging medical systems, namely: electronic trust relationships not matching the relationship in the real world, a focus on centralisation and putting too much power in the hands of one body, and the lack of sufficient mechanisms to de-identify records.
- The responsible clinician must notify the patient of the names on his record's access control list when it is opened, of all subsequent additions, and whenever responsibility is transferred, also known as Consent and notification.
- Issues arose as to what would happen when the certificate became obsolete.
- Given these questions, a decision was made to use the catalogue hashes as the primary trust mechanism.
7.2 Information Retrieval Systems
- From sections 6.2 and 6.4, the authors can see that attempts have been made to perform trust management in this domain.
- To specify one's viewing tastes one can use any PICS-compliant filtering language, such as PICSRules or profiles-0.92.
- It is also necessary to ensure that information retrieval systems do not disseminate information that is not for general distribution.
- The emphasis in this work is on the prevention of information leakage from one level to another.
7.3 Mobile code
- Mobile agents migrate code and data from one machine to another to perform tasks on behalf of a user.
- Swarup and Schmidt [17] also briefly discuss this issue, highlighting the trust management mechanisms, policy negotiation protocols and mobility protocols.
- Research in this field [5, 6, 89] is focused on formulating the best protocol to ensure that the mobile agent does not cause the server any harm.
- These protocols define the process of trust establishment, but the other components of trust are totally ignored.
Did you find this useful? Give us your feedback
Citations
3,493 citations
1,001 citations
Cites background from "A survey of trust in internet appli..."
...IoT trust management is concerned with: collecting the information required to make a trust relationship decision; evaluating the criteria related to the trust relationship; monitoring and reevaluating existing trust relationships; as well as ensuring the dynamically changed trust relationships and automating the process in the IoT system [6, 7]....
[...]
982 citations
Cites background from "A survey of trust in internet appli..."
...In the area of trust, Grandison et al. in their work “A survey of trust in Internet application” (Grandison and Sloman 2000) examine the various definitions of trust in the literature and provide a working definition of trust for Internet applications....
[...]
800 citations
Cites background or methods from "A survey of trust in internet appli..."
...[13] since the agent is trusted to access the system’s resources....
[...]
...In order to automate this process, several trust policy management systems have been developed (such as PolicyMaker [13], Trust-Serv [32], and KAoS [35])....
[...]
...Since traditional security mechanisms cannot protect an agent from unreliable service providers, novel models have been developed to model service provision trust—the trust that a service provider is competent and will provide a service in a reliable manner [13]....
[...]
...logging in), an authorised user is granted a clearly defined set of rights, which allows it to access a certain set of resources [13]....
[...]
755 citations
Cites background from "A survey of trust in internet appli..."
...[6] T. Grandison, M. Sloman, A survey of trust in internet applications, IEEE Commun....
[...]
...2002, http://www.imakenews.com/smei/e article000051474.cfm. [67] S. Staab, B. Bhargava, L. Lilien, A. Rosenthal, M. Winslett, M. Sloman, T.S. Dillon, E. Chang, F.K. Hussain, W. Nejdl, D. Olmedilla, V. Kashyap, The pudding of trust, IEEE Intell....
[...]
...The next definition, from Grandison and Sloman [6], introuces context and is unique in referring to the “competence” to ct (instead of actions, themselves): “[Trust is] the firm belief in the competence of an entity to act dependably, securely, and reliably within a specified context.”...
[...]
...The next definition, from Grandison and Sloman [6], introuces context and is unique in referring to the “competence” to ct (instead of actions, themselves):...
[...]
...Trust in information resources Trust concerns in the Web (Khare and Rifkin, 1997) [83] (Grandison and Sloman, 2000) [6] Trust concerns in the Semantic Web (Bizer and Oldakowski, 2004) [84] (Berners-Lee, 1999) [1] (O’Hara et al....
[...]
References
2,638 citations
"A survey of trust in internet appli..." refers background or methods in this paper
...Burrows, Abadi and Needham [65] propose a language to specify the steps followed in the authentication process between two entities (resource access protocol analysis)....
[...]
...Simple relational formalisms are used to model trust with statements of the form Ta b, which means “a trusts b” [64-67]....
[...]
...As stated in [65], “Since we operate at an abstract level, we do not consider errors introduced by concrete implementations of a protocol, such as deadlocks, or even inappropriate use of cryptosystems....
[...]
2,247 citations
"A survey of trust in internet appli..." refers background or methods in this paper
...Blaze et a1. defined trust management as "a unified approach fying and interpreting security policies, credentials, and rela tionships that allow direct authorization of security-critica l actions" [ 54 ]....
[...]
...PolicyMaker is a trust management application, developed at AT&T Research Laboratories, that specifies what a public key is authorized to do [ 54 ]....
[...]
...Each entity must have a cer tificate that is signed by the central certification authority or another authority, which has been directly or indirectly certi fied by it. This model assumes that certification authorities are organized into a universal "certification authority tree" and that all certificates within a local community will be signed by a certification authority that can be linked into this tree [ 54 ]....
[...]
...The paper by Blaze et a1. [ 54 ] was one of the first to introduce the term trust management, although prior security for networked applications had an implicit notion of trust management based on POP [47] or X.509 public-key certifi cates [46, 48], which are discussed in a later section....
[...]
1,684 citations
"A survey of trust in internet appli..." refers background in this paper
...Typical applications requiring a formal trust specification include content selection for web documents [1], medical systems [2], telecommuting [3], mobile code and mobile computing [4-6], as well as electronic commerce [7-14]....
[...]
1,660 citations
"A survey of trust in internet appli..." refers methods in this paper
...Simple relational formalisms are used to model trust with statements of the form Ta b, which means “a trusts b” [64-67]....
[...]
Related Papers (5)
Frequently Asked Questions (13)
Q2. What are the future works mentioned in the paper "A survey of trust in internet applications" ?
The authors hope to extend this to allow the specification of more abstract and potentially complex trust relationships between entities and across organisational domains. The authors will use the policy refinement tools, being developed, to generate the Ponder policy specification. This can be translated into implementation mechanisms such as Windows security templates, firewall rules or Java security policy. The toolkit must support the concepts of trust quantification from third parties and delegation of trust decisions, which may be likely in automated trust systems.
Q3. What are the examples of entities that would require service provision trust to be established?
Service bureaux and application service providers (ASPs) [38-40] are prime examples of entities that would require service provision trust to be established.
Q4. Why is PGP considered unreliable for E-Commerce?
Due to PGP’s lack of official mechanisms for the creation, acquisition and distribution of certificates it is considered unreliable for E-Commerce, but appropriate for personal communication.
Q5. What was hoped that would mean for PolicyMaker?
It was hoped that leaving the assertion language an open issue would mean flexibility and greater programmability for PolicyMaker.
Q6. What is the purpose of the separation of the application and its trust management framework?
A separation of the application’s purpose and its trust management framework will offer a more scalable and flexible solution for the distributed environment.
Q7. What is the syntax of the PolicyMaker system?
The PolicyMaker system is essentially a query engine which can either be built into applications (through a linked library) or run as a “daemon” service.
Q8. What are the forms of first order predicate logic used to represent?
Forms of first order predicate logic [64- 67] or (modified) modal logic [68-71] have been used to represent trust and its associated concepts.
Q9. What are the key issues to the emergence of E-Commerce as a viable commercial activity?
They state that the issues of the identification and reliability of business partners, the confidentiality of sensitive information, the integrity of valuable information, the prevention of unauthorized copying and use of information, guaranteed quality of digital goods, availability of critical information, the management of risks to critical information, and the dependability of computer services and systems (specifically the availability, reliability and integrity of infrastructure, the prevention of unauthorised use of infrastructure, guaranteed level of services and the management of risks to critical infrastructure) are key to the emergence of E-Commerce as a viable commercial activity.
Q10. What is the degree of trust that a user can have in her key?
Every key that a user trusts or signs has to have a degree of trust associated to it, namely: unknown, untrusted, marginally trusted or completely trusted.
Q11. What is the way to assign trust values in the face of uncertainty?
Jøsang’s Opinion Model, based on subjective logic, may be a suitable technique for assigning trust values in the face of uncertainty [31-34].
Q12. What is the definition of a system for publishing electronic medical books?
WAX is “a system for publishing electronic medical books containing information such as treatment protocols, drug formularies and government regulations to which healthcare professionals need frequent access in support of clinical decision-making” [84].
Q13. What type of trust maps into a form of access control?
This type of trust maps into a form of access control, which is subject-based, in that the subject is only permitted to access trusted services.