Protecting Privacy during On-Line Trust Negotiation

  • Kent E. Seamons
  • Marianne Winslett
  • Ting Yu
  • Lina Yu
  • Ryan Jarvis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2482)


The dramatic growth of services and information on the Internet is accompanied by growing concerns over privacy. Trust negotiation is a new approach to establishing trust between strangers on the Internet through the bilateral exchange of digital credentials, the on-line analogue to the paper credentials people carry in their wallets today. When a credential contains sensitive information, its disclosure is governed by an access control policy that specifies credentials that must be received before the sensitive credential is disclosed. This paper identifies the privacy vulnerabilities present in on-line trust negotiation and the approaches that can be taken to eliminate or minimize those vulnerabilities. The paper proposes modifications to negotiation strategies to help prevent the inadvertent disclosure of credential information during online trust negotiation for those credentials or credential attributes that have been designated as sensitive, private information.


Access Control Policy Security Agent Sensitive Attribute Negotiation Strategy Policy Disclosure 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bertino, E., Castano, S., Ferrari, E.: On Specifying Security Policies for Web Documents with an XML-based Language, Proceedings of Sixth ACM Symposium on Access Control Models and Technologies, Chantilly, Virginia (2001).Google Scholar
  2. 2.
    Biskup, J.: For Unknown Secrecies Refusal is Better than Lying, Data & Knowledge Engineering 33, Elsevier Science, Amsterdam (2000).Google Scholar
  3. 3.
    Bonatti, P., Samarati, P.: Regulating Service Access and Information Release on the Web, Proceedings of the 7th Conference on Computer and Communications Security, Athens, Greece (2000).Google Scholar
  4. 4.
    Brands, S. A.: Rethinking Public Key Infrastructures and Digital Certificates, MIT Press, Cambridge, Massachusetts (2000).Google Scholar
  5. 5.
    Forrester Press Release, Companies Must Adopt A Whole-View Approach To Privacy,,1769,514,00.html (2001).
  6. 6.
    Hess, A., Jacobson, J., Mills, H., Wamsley, R., Seamons, K. E., Smith, B.: Advanced Client/Server Authentication in TLS, Network and Distributed System Security Symposium, San Diego, CA, (2002).Google Scholar
  7. 7.
    International Telecommunication Union, Recommendation X.509-Information Technology-Open Systems Interconnection-The Directory: Authentication Framework (1997).Google Scholar
  8. 8.
    Persiano, P., Visconti, I.: User Privacy Issues Regarding Certificates and the TLS Protocol, in Proceedings of the 7th ACM Conference on Computer and Communications Security, Athens, Greece (2000).Google Scholar
  9. 9.
    Platform for Privacy Preferences (P3P) Specification, W3C Working Draft 26 August (1999),
  10. 10.
    Seamons, K. E., Winslett, M., Yu, T.: Limiting the Disclosure of Access Control Policies During Automated Trust Negotiation, Symposium on Network and Distributed System Security, San Diego (2001).Google Scholar
  11. 11.
    Tygar, J. D.: Atomicity versus Anonymity: Distributed Transactions for Electronic Commerce, Proceedings of 24th International Conference on Very Large Data Bases, New York City, New York (1998).Google Scholar
  12. 12.
    Winsborough, W. H., Li, N.:Towards Practical Automated Trust Negotiation, IEEE 3rd International Workshop on Policies for Distributed Systems and Networks, Monterey, CA, June (2002).Google Scholar
  13. 13.
    Yu, T., Winslett, M., Seamons, K. E.: Interoperable Strategies in Automated Trust Negotiation, Proceedings of the 8th ACM Conference on Computer and Communications Security, Philadelphia, Pennsylvania (2001).Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Kent E. Seamons
    • 1
  • Marianne Winslett
    • 2
  • Ting Yu
    • 2
  • Lina Yu
    • 1
  • Ryan Jarvis
    • 1
  1. 1.Computer Science DepartmentBrigham Young UniversityProvoUSA
  2. 2.Department of Computer ScienceUniversity of Illinois at Urbana-ChampaignUrbanaUSA

Personalised recommendations