Authentication and Authorisation Infrastructures in b2c e-Commerce

Schlaeger, Christian; Pernul, Guenther

doi:10.1007/11545163_31

Christian Schlaeger¹⁹ &
Guenther Pernul¹⁹

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 3590))

Included in the following conference series:

International Conference on Electronic Commerce and Web Technologies

1680 Accesses
8 Citations
1 Altmetric

Abstract

One of the reasons for the failure of PKI in b2c e-commerce might be that too much effort was put in entity authentication. In many applications it is not necessary to know who an entity actually is, but to be sure that he/she possesses the proper rights to perform the desired action. This is exactly the purpose of Authentication and Authorisation Infrastructures (AAIs). Today several proposals and running AAIs are available focusing on different aspects. The purpose of this paper is firstly to introduce common representatives and to discuss their focus, secondly to develop criteria and requirements that any AAI for b2c e-commerce has to fulfil and finally evaluate the proposals against the developed criteria. Candidates for evaluation are Kerberos, SESAME, PERMIS, AKENTI, Microsoft Passport, Shibboleth and the Liberty Framework.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Ashley, P.M., Vandenwauver, M.: Practical Intranet Security, Overview of the State of the Art and Available Technologies. Kluwer Academic Publishers, Dordrecht (1999)
Google Scholar
Champine, G., Geer Jr., D., Ruh, W.: Project Athena as a Distributed Computer System. In: IEEE Computer, vol. 23(9), pp. 40–51 (1990)
Google Scholar
Chadwick, D., Otenko, A.: The PERMIS X.509 role based privilege management infrastructure. In: Proceedings of the 7th ACM Symposium on Access Control Models and Technologies (SACMAT 2002), Monterey, California, USA, pp. 135–140 (2002)
Google Scholar
Chadwick, D., Sahalayev, M.: Internet X.509 Public Key Infrastructure LDAP Schema for X.509 Attribute Certificates. In: PKIX WG Internet-Draft Standards Track (2003)
Google Scholar
Kaufman, C., Perlman, R., Speciner, M.: Network Security: Private Communication in a Public World, 2nd edn. Prentice Hall PTR, Englewood Cliffs (2002)
Google Scholar
Kormann, P., Rubin, A.: Risks of the Passport single signon protocol. In: Computer Networks, vol. 33(1-6), pp. 51–58. Elsevier Science Press, Netherlands (2000)
Google Scholar
Liberty ID-FF: Bindings and Profiles Specification, Liberty Alliance Project 2004-10-21, http://www.projectliberty.org/specs/liberty-idff-bindings-profiles-v1.2.pdf (Accessed 2004-10-21)
Liberty ID-FF: Protocols and Schema Specification, Liberty Alliance Project (2003), http://www.projectliberty.org/specs/liberty-idff-protocols-schema-v1.2.pdf (Accessed 2004-10-21)
Lopez, J., Oppliger, R., Pernul, G.: Why have Public Key Infrastructures failed so far? Submitted for publication (2005)
Google Scholar
Microsoft Passport Review Guide, http://download.microsoft.com/download/a/f/4/af49b391-086e-4aa2-a84b-ef6d916b2f08/passport_reviewguide.doc (Accessed 2004-11-09)
Chadwick, D., Otenko, O.: A Comparison of the Akenti and PERMIS Authorization Infrastructures. In: Ensuring Security in IT Infrastructures, proceedings of the ITI First International Conference on Information and Communications Technology (ICICT 2003), Cairo, Egypt, pp. 5–26 (2003)
Google Scholar
Farrell, S., Housley, R.: An Internet Attribute Certificate Profile for Authorization. Request for Comments 3281. IETF PKIX Working Group (2002)
Google Scholar
Cantor, S.: Shibboleth Architecture Protocols and Profiles Working Draft 05 (November 2004), http://shibboleth.internet2.edu/docs/draft-mace-shibboleth-arch-protocols-05.pdf ( Accessed 2004-01-17)
Salam, A.F., Iyer, L., Palvia, P., Singh, R.: Trust in e-commerce. Communications of the ACM 48(2), 72–77 (2005)
Google Scholar
Vandenwauver, M., Govaerts, R., Vandewalle, J.: Security of Client-Server Systems. In: Eloff, J.P., von Solms, R. (eds.) Information Security - from Small Systems to Management of Secure Infrastructures, pp. 39–54. IFIP Press (1997)
Google Scholar

Download references

Author information

Authors and Affiliations

University of Regensburg, Universitätsstrasse 31, D-93053, Regensburg, Germany
Christian Schlaeger & Guenther Pernul

Authors

Christian Schlaeger
View author publications
You can also search for this author in PubMed Google Scholar
Guenther Pernul
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Department of Informatics (IFI), University of Zurich, Winterthurer Stra{ß}e 190, 8057, Zurich, Switzerland
Kurt Bauknecht
Johannes Kepler Universität Linz, Altenbergerstrasse 69, A-4040, Linz,
Birgit Pröll
Institute for Software Technology and Interactive Systems, Vienna University of Technology, Favoritenstrasse 9-11/188, A-1040, Vienna, Austria
Hannes Werthner

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Schlaeger, C., Pernul, G. (2005). Authentication and Authorisation Infrastructures in b2c e-Commerce. In: Bauknecht, K., Pröll, B., Werthner, H. (eds) E-Commerce and Web Technologies. EC-Web 2005. Lecture Notes in Computer Science, vol 3590. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11545163_31

Download citation

DOI: https://doi.org/10.1007/11545163_31
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28467-3
Online ISBN: 978-3-540-31736-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics