Trust enhanced distributed authorisation for web services

a r t i c l e i n f o a b s t r a c t In this paper, we propose a trust enhanced distributed authorisation architecture (TEDA) that provides a holistic framework for authorisation taking into account the state of a user platform. The model encompasses the notions of 'hard' and 'soft' trust to determine whether a platform can be trusted for authorisation. We first explain the rationale for the overall model and then describe our hybrid model with 'hard' and 'soft' trust components, followed by a description of the system architecture. We then illustrate our implementation of the proposed architecture in the context of authorisation for web services. We discuss the results and demonstrate that such a trust enhanced approach could enable better authorisation decision making, especially in a distributed environment where user platforms are subject to dynamic security threats. Distributed systems have fundamentally changed the way individuals and enterprises share, process and store information today. Security issues, and authorisation in particular play a vital role in distributed systems, as greater availability and access to information in turn imply that there is a greater need to protect them. To address this issue, several access control mechanisms, languages and systems [1–7] have been proposed in the past. However, a majority of these systems have been designed to address authorisation requirements that relate to human users. Authentication systems based on passwords, identity certificates, role certificates or even bio-metric information like fingerprints and iris recognition have been developed. Issues of trust arise when one considers whether or how much to trust the certificates or credentials being provided. Trust management systems have evolved from distributed authentication and authorisation systems taking into account aspects such as the nature and the roles of the authorities involved, the types of credentials and attributes to be used in the verification process, the delegation and revocation of credentials involved and the roles played. However many of these secure systems (be they authorisation or authentication) make some basic assumptions about the state of the platform that is hosting and running the systems software and applications. There is an inherent trust that is placed on the underlying platform when an upper level user or an application is authenticated or authorised. In the current networked world with heterogeneous platforms and numerous software applications and system software running on these platforms, it is important such underlying trust assumption …