Assuring Security and Privacy for Digital Library Transactions on the Web: Client and Server Security Policies

Often an information source on the Web would like to provide diierent classes of service to diierent clients. In the autonomous, highly distributed world of the Web, the traditional approach of using authentica-tion to diierentiate between classes of clients is no longer suucient, as knowledge of a client's identity will often not suuce to determine whether a client is authorized to use a service. In CJW96] we proposed the use of digital credentials to help solve this problem; but their use will in turn introduce a bevy of new problems associated with credential management. In this paper we propose the use of server security policies and client credential submission policies to aid in the management of a client's digital credentials. We propose a structure for such policies, and brieey describe an implementation of personal security assistants and server security assistants that embodies our proposed approach.