In open distributed systems, resources are shared across organizational boundaries and as such, traditional identity-based access control lists (ACLs) are not viable options for protecting resources, as the set of authorized users may not be known a priori. The TrustBuilder project is investigating trust negotiation, an attribute-based access control (ABAC) model in which parties conduct bilateral and iterative exchanges of policies and certified attributes to negotiate for access to system resources including services, roles, capabilities, personal credentials, and sensitive system policies. The image below illustrates a simple trust negotiation occurring between Bob's service and a previously unknown user Alice. Upon requesting access to Bob's server, Alice is provided with the policy guarding this service, which states that she must disclose a Visa card credential so that she can be billed for her service usage. Alice has this credential, but is only willing to show it to members of the Better Business Bureau (BBB), so she sends Bob a policy to this effect. Bob then discloses his BBB credential to Alice along with a proof of ownership. Alice is then satisfied that Bob belongs to the BBB, so she discloses her credit card and is granted access to Bob's service.
The TrustBuilder project is an ongoing research effort that has contributed to both the theoretical foundations and the systems-level issues surrounding trust negotiation. Below, we highlight several key areas of research in the TrustBuilder project along with a list of representative publications for each area. A complete list of publications for this project can be found in the Trust Management and Compliance Storage group publications page. For readers interested in a general introduction to trust negotiation, such an article is available, targeted toward people without a background in security research.Return to top
All e-mail addresses are in the cs.uiuc.edu domain.
Principal Investigator: Marianne Winslett
Primary Student Contact: Adam J. Lee (adamlee)