- From: Tim Finin <finin@cs.umbc.edu>
- Date: Thu, 20 Dec 2001 13:09:32 -0500
- To: www-webont-wg@w3.org
- CC: joshi@csee.umbc.edu, Lalana Kagal <lkagal1@cs.umbc.edu>
Use Cases for Security based on Trust Management for Open Environments
We are exploring how a SWOL can be used to facilitate distributed
trust management for authentication, authorization, access control,
and the delegation of permissions and obligations to devices and
agents. The following use cases explore some scenarios in which a SWOL
can play a role.
SCOPE AND DEFINITION
Information technology is slowly becoming invisible; entering all
aspects of our everyday life. Soon IT will be unnoticed and be
integrated completely into the environment and computers will become
part of a network connecting all devices from clocks to PDAs and
cell phones. People will be able to access computing resources anytime
and anywhere. This computing, called Pervasive Computing, leads to
wirelessly connected and widely distributed systems. These open
loosely coupled environments lead to serious security problems. There
are similar problems with open networks like the Internet or even
widely distributed intranets.
Traditionally, stand-alone computers and small networks rely on user
authentication and access control to provide security. These physical
methods use physical controls to verify the identity of a person or
process, explicitly enabling or restricting the ability to use,
change, or view a computer resource. However, these mechanisms are
inadequate for the increased flexibility that distributed networks
such as the Internet and ubiquitous/pervasive computing environments
require, as these systems lack central control and in addition, their
users are not all predetermined.
Characteristics of such ``open environments'' include the following:
1. Wirelessly connected components
2. Widely distributed resources
3. Wireless access via a handheld device
4. Users who may not be known in advance (e.g., foreign users)
5. Access rights that are dynamic, i.e. changing continuously
6. Distinction between role that a user is filling at a given moment
and the position the user holds in the organization
--
USE CASE I
TASK: Smart Meeting Room
DESCRIPTION: Consider a Smart Meeting Room, where the environment has
sensors to allow relevant information to be collected about the
attendees of the meeting and the environment provides access control
to the resources in the room.
A user decides to have a meeting and tells his agent to arrange a
meeting with a certain group of users. The agent contacts the agents
of the other attendees and they negotiate a date and time. Then the
organizer's agent checks the room availability and sends a message to
the appropriate room with the tentative list of attendees. The room
updates its schedule. When a user walks in, her/his RFID is scanned
and his identity is verified. Based on the prior knowledge about the
meeting the room sets the role of the user as guest, attendee,
organizer, speaker etc. and assigns her/his access rights. When the
organizer walks in, she/he is given the right to access the computer,
projector, printer, coffee maker etc. Whereas a guest can only access
the coffee maker. An organizer can delegate some of his rights to
another attendee or guest based on the policy of the room. Some rooms
may not allow the right to the use the projector to be delegated, or
the right to use the networked computer to the delegated. When the
speaker walks in, the room identifies her/him. The speaker can send
her/his slides to the projector and the projector will accept them and
start displaying them. The speaker can also allow all the attendees to
download her/his notes and other information on her/his mobile device
but allow guests to only download the slide handouts.
EXAMPLE DOMAIN: meeting room
TYPICAL USER: attendees of a meeting
REQUIREMENTS:
1. Authenticating users
2. Role based access control
3. Wireless access to resources
4. Allow users to set access rights to their own resources
5. Delegation of some access rights
--
USE CASE II
TASK: Visiting Lecturer/Speaker
DESCRIPTION: Carol, an executive in an organization is asked to give
a talk in a University on a decided date and she accepts. On the
predetermined date, she drives into the campus and looks for a place
to park. The 'parking lot controller' recognizes her as a visitor and
gives her directions to the visitors' parking lot on her PDA. She
parks her car and tries to find the right department. Again as a
visitor, she gets directions from the parking lot 'controller'. She
finally finds the correct room and decides to set up her slides. The
room recognizes her as a visitor and checks if she is supposed to be
the speaker. The room has been notified that Carol is the speaker for
today. As a speaker, Carol can access the projector but not the
printer. She realizes that she has forgotten to print her handout. Her
host delegates to Carol the right to use the faculty printer only for
printing handouts, for the next 10 minutes.
EXAMPLE DOMAIN: Schools, Universities, Offices that invite speakers
TYPICAL USER:
REQUIREMENTS:
1. Authenticating foreign users
2. Constraints on the delegation
--
USE CASE III
TASK: Requesting access rights
DESCRIPTION: A Masters student in a University has just completed his
Masters project and has included images in color. He decides that he
would like to print color copies of his project. The only color
printer is the faculty printer, that he does not have access to. He
requests his advisor to allow him to use the printer. The advisor
considers his students request and decides to grant it as the student
is trustworthy. The advisor delegates to the student the right to use
the faculty printer for one day and not print more than 100 pages. The
student sends his job to the printer. The printer checks the job and
finds that it is from a student, then it checks if there has been any
delegation to the user from someone authorized to make delegations.
As there is a delegation and it is still valid, the print job is
allowed to go through.
Another similar example is when the student requests permission for a
group of students to use the faculty printer. If this group is
predetermined, the advisor can create a group delegation. But if this
group of students cannot be decided in advance, the advisor can give
the requesting student the right to re-delegate the right to the
printer for a certain period and to a certain group of students, for
example research assistants or students with GPA greater than 3.5.
EXAMPLE DOMAIN: Universities, offices where access to certain resource
is restricted
TYPICAL USER:
REQUIREMENTS:
1. Unique identification of resources
2. Requesting access rights
3. Delegating to a group of users
4. Allowing redelegation
5. Restriction redelegation
--
USE CASE IV
TASK: Database driven websites
DESCRIPTION: For websites with frequent updates and a large amount of
information management like CNN or MSN, there are a number of
designated data entry operators that are allowed to modify and add
certain kinds of information on the website. These operators are
managed by editors, who approve the changes before they are visible on
the website.
If an editor is unable to complete his duties for a day, and the
workload is extremely heavy, he can delegate some of his duties to a
data entry operator that he trusts for a limited time period. So the
work can continue as normal, with the operator authorizing the changes
on behalf of the editor. Once the editor is back, the operators rights
revert to normal and the editor continues with his tasks. In a normal
scenario, the system administrator would have to be involved, who
would create a new login for the data entry operator or change his
access rights for the day and then change it back a day later.
EXAMPLE DOMAIN: Large news sites like CNN, New York Times or community
sites like slashdot, ittalks.org etc.
TYPICAL USER: Editors, users who add news items
REQUIREMENTS:
1. Along with role based access rights, there should be a way of
delegating access rights without changing the users roles.
2. Delegation should be restricted by time
3. Users should only be able to delegate certain rights, not all
their rights. For example, the editor should not be able to
delegate to the operator the right to view certain confidential
information.
--
USE CASE V
TASK: Intranet
DESCRIPTION: Generally in organization information access is
restricted by roles that are arranged in a hierarchy with rights
becoming more restrictive as you go down the hierarchy. For example, a
software engineer has fewer access rights than his manager. Certain
roles have certain access rights. A manager decides that she cannot
complete working on some confidential document. Her secretary does not
have the right to view or change that document. She trusts her
secretary and delegates to her secretary to right to modify a portion
of that document. She continues working on a section of the document
while her secretary works on another portion.
EXAMPLE DOMAIN: Any Intranet
TYPICAL USER:
REQUIREMENTS:
1. Need not be strictly wireless
2. Information sharing
3. Delegation can override role based access control
--
USE CASE VI
TASK: Security between different offices of the same company
DESCRIPTION: Let ABC be a company with several offices all over the
country. John, an employee of the New York office, visits the Los
Angeles office for a training program. He walks in with his PDA and
cellphone. His personal agent on his PDA contains information that
authenticates him at the LA office. The LA office figures out his role
in the NY office and assigns him certain access rights. John needs to
check his email, so he sits down at a terminal. The terminal
negotiates with his agent and decides to allow him to use the
internet. John then decides to go to the meeting room where the
training program is being held. His agent looks around for a service
that will give him directions to the appropriate room. As John is
enrolled in the program and an employee of the company, he is allowed
to use the mapping service that directs him to the right room. John
receives a phone call from his secretary at the NY office telling him
that he forgot to sign some extremely important papers. Now his agent
has to locate a fax service or some combination of services that will
allow him to receive a fax. Whether he can actually access the
services will depend on his credentials and the security policy of the
company, the policy of the LA branch and the access control
information of the services.
EXAMPLE DOMAIN:
TYPICAL USER:
REQUIREMENTS:
1. Authenticate users within the same organization but from different
offices
--
USE CASE VII
TASK: Security between Heterogeneous Systems
DESCRIPTION: Let XYZ be a company that is providing the company ABC
with consulting services. So different employees from XYZ, often visit
the offices of ABC. Consider Marty, a consultant from XYZ, who walks
into ABC's office in Virginia. He is be able to open doors, put on
lights, access the coffee maker, use a certain workstation, but not
log into a server, or use the fax machine or enter the mainframes room
etc. Another employee of XYZ, Susan, should have different rights from
Marty, because she may be a manager or work in a different department
or be in charge of another project etc.
EXAMPLE DOMAIN:
TYPICAL USER:
REQUIREMENTS:
1. Authenticate foreign users
2. Understand in some way roles of other systems and use them to
decide access rights
--
USE CASE VIII
TASK: Medical database
DESCRIPTION: Alice decides to go to the hospital for a general
checkup. Her personal agent goes out and contacts her hospital to make
an appointment. Her agent checks her calendar and negotiates with the
hospitals agent to find an appropriate slot. It is for the next day at
12.00, when Alice has time off from work for lunch. Alice goes to the
hospital for her appointment and meets Dr.Jonhson. Dr. Johnson uses
her mobile or embedded device to view Alice's medical history to know
what she should be aware of and be looking for. She decides that Alice
needs an X-ray of some sort and asks the nurse to take one. The nurse
in turn needs to access a certain portion of Alice's medical history
that deals with why the X-ray is needed and what portion of Alice's
anatomy should be involved, but the nurse should not be able to view
Alice's entire history. Once the X-ray is taken, Dr. Johnson goes on
with the rest of the checkup and decides to ask for a second
opinion. A doctor from another hospital, Dr. Smith, is called in.
Dr. Johnson delegates some of her 'doctor' rights to Dr. Smith, so
that Dr. Smith can use certain equipment, access certain parts of the
hospital's knowledge base and view a part of Alice's medical
records. Dr. Smith goes through all the information and declares that
Alice is fit.
EXAMPLE DOMAIN: Hospitals, clinics
TYPICAL USER: Doctors, nurses, administrative staff
REQUIREMENTS: Some main requirements of a security infrastructure for
open environment
1. The system should allow foreign entities to access entities within
the system
2. As rights are dynamic, the system should not follow strict Role
Based Access Control
3. Rights can be tailored for each entity
4. The system should be easy to configure and maintain.
5. Delegations should be possible with constraints attached to the
delegatee, time, the action and redelegation.
OPEN QUESTIONS
1. Credentials: What kind of credentials does a user need ? Most
systems use digital certificates, so a digital certificate with
additional fields is probably a good credential
2. Policies: There should be a way of specifying security policies
which include rules about authentication, access control, delegation
and revocation
3. Delegation: How should delegations be specified ? And constrained ?
4. Revocation: How should revocations be handled ?
5. Reputation management: Should reputation play a part in these
security infrastructure ? And if yes, how should it be implemented ?
Received on Thursday, 20 December 2001 13:08:00 UTC