Limiting the Disclosure of Access Control Policies during Automated Trust Negotiation

Automated trust negotiation is a new approach to establishing trust between strangers through the exchange of property-based digital credentials, and the use of mobile access control policies that specify what combinations of credentials a stranger must supply in order to gain access to each local service or credential. In this paper, we show that access control policies can also contain sensitive information that should be protected from inappropriate access by strangers during negotiation. We present and analyze two automated trust negotiation strategies that support protection for access control policies. The first is the relevant credentials set strategy, which does not directly disclose access control policies and has a fast running time, but may disclose more credentials than strictly necessary. The second strategy is the all relevant policies strategy, which freely discloses all relevant access control policies that the other negotiating party has earned access to during negotiation, and offers the possibility of disclosing fewer credentials