Trust management on the World Wide Web
Department of Computer Science,
California at Irvine, Irvine, CA 92697-3425, U.S.A.
Computer Science Department,
California Institute of
Technology, Pasadena, CA 91125, U.S.A.
As once-proprietary mission-specific information systems migrate
onto the Web, traditional security analysis cannot sufficiently protect
each subsystem atomically. The Web encourages open, decentralized
systems that span multiple administrative domains. Trust
Management is an emerging framework for decentralizing security
decisions that helps developers and others in asking "why" trust is
granted rather than immediately focusing on "how" cryptography can
enforce it. In this poster, we summarize the implications of Trust
Management to future Web applications.
Security and authorization; Protocols; Electronic
To date, "Web Security" has been associated with debates over
cryptographic technology, protocols, and public policy, obscuring the
wider challenges of building trusted Web applications. Since the
Web aims to be an information space that reflects not just human
knowledge but also human relationships, it will soon realize the full
complexity of trust relationships among people, computers, and
Within the computer security community, Trust Management (TM) has
emerged as a new philosophy for codifying, analyzing, and managing trust
decisions [1,2]. Asking the question
"Is someone trusted to take some action on some object?" entails
understanding the elements of TM :
- When deciding to trust some principal to take some action on some
object, it is absolutely critical to be specific about the
privileges granted; to trust yourself when vouchsafing the claim;
and to be careful before and after taking that step.
- The decision to grant trust is justified by a chain of assertions.
There are three kinds of actors making the assertional links based on
their particular identity lifetimes: people make assertions with
broad scope, bound to their long-lived names; computers
make narrow proofs of correct operation from their limited-scope
addresses; and organizations make assertions about people
and computers because they have the widest temporal and legal scope of
all. Credentials describe each kind of principal and its
relationships, such as membership and delegation.
- These are rules about which assertions can be combined to yield
permission. Broadly speaking, policies can grant authority based on the
identity of the principal asking; the capability at issue;
or an object already in hand. In other words, you might be
trusted based on who you are, what you can do, or what
- Deploying a TM infrastructure across so many administrative
boundaries on the open, distributed Web requires adapting to the
pragmatic limitations of the principles, principals, and
policies. Since objects can live anywhere on the Web, so can their
security labels. Furthermore, such labels should use a common,
machine-readable format that recursively uses the Web to document its
language. The real benefits of TM come from tying all of these details
together within a single TM engine. This will drive a handful of
standard protocols, formats, and APIs for representing principals and
In this poster, we describe pragmatic details of Web-based TM
technology for identifying principals, labeling resources, and enforcing
policies. We sketch how TM might be integrated into Web applications
for document authoring and distribution, content filtering, and mobile
code security. And, we measure today's Web protocols, servers, and
clients against this model.
We believe that as Web-based applications replace closed information
systems, transactions will cross more and more organizational
boundaries, often magnifying latent flaws in existing trust
relationships. For example, consider the U.S. Social Security
Administration's ill-fated attempt to put its records on the Web. Each
American worker has a trust relationship with the SSA regarding his or
her pensions, sealed by the "secrecy" of his or her Social Security
Number, mother's maiden name, and birth state. For decades, those were
the keys to obtaining one's Personal Earnings and Benefit Estimate
Statement (PEBES). When the exact same interface was reflected on the
Web, however, nationwide outrage erupted over the perceived loss of
privacy, resulting in a hurried shutdown and "reevaluation" .
In this case, fast and easy HTTP access has raised the potential for
large-scale abuse not present in the existing postal system. The SSA is
ensconced in a trust relationship that is not represented by a
corresponding secret, so cryptography cannot solve their problem.
Computers can alter the equation only by substituting the explicit power
of cryptography for the implicit power of psychology. The irony is that
they do share one secret record with each worker: that worker's earnings
history which is why workers request a PEBES in the first place!
In the end, there will have to be a more secure way of accessing
such records perhaps with a digital identity certificate
corresponding to today's Social Security Card. Such precautions may
even strengthen how the "traditional" paper system works. Cryptography
can offer much stronger proofs than traditional means, so trust
relationships will tend to be cemented with shared secrets that enable
those protocols, such as PIN numbers, shared keys, and credentials.
Web publishers, administrators, and readers will all need
infrastructure "to help users decide what to trust on the Web" . This poster represents a call to arms
to the parties who have a role in bringing this vision to fruition:
- Web developers
- The people and organizations ultimately responsible for reducing
Web standard formats, protocols, and APIs to practice in software and
hardware should be committed to developing Trust Management
technologies. They should become engaged in the current standardization
debates surrounding public key infrastructure (the SPKI/SDSI working
group at the IETF); digital signatures (in the legislatures and courts,
as well as IETF and W3C); and formats for adding security and trust
metadata to the Web (at W3C).
- Web users
- Users have the power to persuade developers to follow this agenda.
Web users should be aware of the laundry list of trust decisions
confronting them every day: whether they are talking to the right
organization, whether they should run an applet, or whether they should
allow their children to access a site.
- Application designers
- The businesspeople, programmers, and regulators responsible for
creating and controlling new, secure Web applications should use the
concepts identified in this poster to identify and control security
risks. It is not merely a cryptographer's problem to uphold the
principles of Trust Management, identify principals, construct policies,
and integrate them with the Web. Each participant in application
development should think carefully about whom s/he is trusting, in what
roles, to permit some action.
- The emergence of the Web as a social phenomenon will even affect
people who do not use the Web. As informed citizens, we must consider
the impact of automating trust decisions and moving our human bonds into
WebSpace. Trust Management tools allow communities of people to define
their own worldviews at what risk of Balkanization?
If we all work together, automatable Trust Management could indeed
weave a World Wide Web of Trust, spun from the filaments of our faith in
Mr. Khare's work was sponsored by the Defense Advanced Research
Projects Agency and Air Force Research Laboratory, Air Force Materiel
Command, USAF, under agreement number F30602-97-2-0021. He would also like
to thank MCI Internet Architecture for its support in this research.
Mr. Rifkin's work was supported under the Caltech Infospheres
Project, sponsored by the CISE directorate of the National Science
Foundation under Problem Solving Environments grant CCR-9527130 and by
the NSF Center for Research on Parallel Computation under Cooperative
Agreement Number CCR-9120008.
-  M. Blaze, J. Feigenbaum, and J. Lacy,
Decentralized trust management, in:
Proceedings of the 1996 IEEE Symposium on Security and Privacy.
IEEE Computer Society Press, Los Alamitos, 1996, pp. 164173,
available as a DIMACS Technical Report from
-  E. Brickell, J. Feigenbaum,
and D. Maher, in:
DIMACS Workshop on Trust Management in Networks,
South Plainfield, NJ, September 1996,
-  S. Garfinkel,
Few key bits of info open social security records,
USA Today, p. A1, May 12, 1997.
-  R. Khare,
Digital signature label architecture,
World Wide Web Journal Special Issue on Security,
2(3): 4964, Summer 1997.
-  R. Khare and A. Rifkin,
Weaving a Web of trust,
World Wide Web Journal Special Issue on Security,
2(3): 77112, Summer 1997,