Content-triggered trust negotiation

Abstract

The focus of access control in client/server environments is on protecting sensitive server resources by determining whether or not a client is authorized to access those resources. The set of resources is usually static, and an access control policy associated with each resource specifies who is authorized to access the resource. In this article, we turn the traditional client/server access control model on its head and address how to protect the sensitive content that clients disclose to and receive from servers. Since client content is often dynamically generated at run-time, the usual approach of associating a policy with the resource (content) a priori does not work. We propose a general-purpose access control model designed to detect whenever sensitive information is being transmitted, and determine whether the sender or receiver is authorized. The model identifies sensitive content, maps the sensitive content to an access control policy, and establishes the trustworthiness of the sender or receiver before the sensitive content is disclosed or received. We have implemented the model within TrustBuilder, an architecture for negotiating trust between strangers based on properties other than identity. The implementation targets open systems, where clients and servers do not have preexisting trust relationships. The implementation is the first example of content-triggered trust negotiation. It currently supports access control for sensitive content disclosed by web and email clients.