Protecting sensitive attributes in automated trust negotiation

Abstract

Exchange of attribute credentials is a means to establish mutual trust between strangers that wish to share resources or conduct business transactions. Automated Trust Negotiation (ATN) is an approach to regulate the flow of sensitive attributes during such an exchange. Recently, it has been noted that early ATN designs do not adequately protect the privacy of negotiating parties. While unauthorized access to credentials can be denied, sensitive information about the attributes they carry may easily be inferred based on the behavior of negotiators faithfully adhering to proposed negotiation procedure. Some proposals for correcting this problem do so by sacrificing the ability to effectively use sensitive credentials. We study an alternative design that avoids this pitfall by allowing negotiators to define policy protecting the attribute itself, rather than the credentials that prove it. We show how such a policy can be enforced. We address technical issues with doing this in the context of trust management-style credentials, which carry delegations and enable one attribute to be inferred from others, and in the context where credentials are stored in a distributed way, and must be discovered and collected before being used in ATN.