Chapter

E-Commerce Security and Privacy

Volume 2 of the series Advances in Information Security pp 133-159

Provisional Authorizations

  • Sushil JajodiaAffiliated withCenter for Secure Information Systems, George Mason University
  • , Michiharu KudoAffiliated withTokyo Research Laboratory, IBM Japan Ltd
  • , V. S. SubrahmanianAffiliated withInstitute for Advanced Computer Studies Institute for Systems Research and Department of Computer Science, University of Maryland

* Final gross prices may vary according to local VAT.

Get Access

Abstract

Past generations of access control systems, when faced with an access request, have issued a “yes” (resp. “no”) answer to the access request resulting in access being granted (resp. denied). In this chapter, we ar­gue that for the world’s rapidly proliferating business to business (B2B) applications and auctions, “yes/no” responses are just not enough. We propose the notion of a “provisional authorization” which intuitively says “You may perform the desired access provided you cause condition C to be satisfied.” For instance, a user accessing an online brokerage may receive some information if he fills out his name/address, but not otherwise. While a variety of such provisional authorization mecha­nisms exist on the web, they are all hardcoded on an application by application basis. We show that given (almost) any logic L, we may define a provisional authorization specification language pASLL. pASLL is based on the declarative, polynomially evaluable authorization spec­ification language ASL proposed by Jajodia et al [JSS97]. We define programs in pASLL, and specify how given any access request, we must find a “weakest” precondition under which the access can be granted (in the worst case, if this weakest precondition is “false” this amounts to a denial). We develop a model theoretic semantics for pASLL and show how it can be applied to online sealed-bid auction servers and online contracting.