Security-by-Contract for Web Services or How to Trade Credentials for Services∗

The classical approach to access control of Web Services is to present a number of credentials for the access to a service and possibly negotiate their disclosure using a suitable negotiation protocol and a policy to protect them. In practice a “Web Service” is not really a single service but rather a set of services that can be accessed only through a suitable conversation. Further, in real-life we are often willing to trade the disclosure of personal attributes (frequent flyer number, car plate or AAA membership etc.) in change of additional services and only in a particular order. In this paper we propose a novel negotiation framework where services, needed credentials, and behavioral constraints on the disclosure of privileges are bundled together and that clients and servers have a hierarchy of preferences among the different bundles. While the protocol supports arbitrary negotiation strategies we sketch two concrete strategies (one for the client and one for the service provider) that make it possible to successfully complete a negotiation when dealing with a cooperative partner and to resist attacks by malicious agent to ”vacuum-clean” the preference policy of the honest participant.