The PolicyMaker Approach to Trust Management


Matt Blaze, Joan Feigenbaum, and Jack Lacy
Affiliation: AT&T Laboratories
Abstract: In a recent paper [BFL], we argue that the "trust management problem" is a distinct and important component in the design of network services. For example, the use of public-key cryptography on a mass-market scale requires sophisticated mechanisms for managing trust. Any application that receives a signed request for action is forced to answer the central question "Is the key used to sign this request authorized to take this action?" In certain applications, this question reduces to "Does this key belong to this person?" In others, the authorization question is considerably more complicated, and resolving it requires techniques for formulating security policies and security credentials, determining whether particular sets of credentials satisfy the relevant policies, and explicitly placing trust in third parties that must issue credentials and author policies.

In this talk, we will explain our general approach to the problem and our "trust management system," called PolicyMaker.

Key ideas that inform our approach include:

Unified mechanism: Policies, credentials, and trust relationships are expressed as programs in a simple programming language. Existing systems are forced to treat these concepts separately. By providing a common language for policies, credentials, and relationships, we make it possible for diverse network applications to handle trust management in a comprehensive and largely transparent manner.

Separation of mechanism from policy: The mechanism for verifying credentials does not depend on the credentials themselves or the semantics of the applications that use them. This allows many different applications with widely varying policy requirements to share a single certificate verification infrastructure.

Flexibility: Our system is expressively rich enough to support the complex trust relationships that can occur in the very large-scale network applications currently being developed. At the same time, simple and standard policies, credentials, and relationships can be expressed succinctly and comprehensibly. In particular, PGP and X.509 "certificates" need only trivial modifications to be usable in our framework.

Locality of control: Each party in the network can decide in each circumstance whether to accept the credentials presented by a second party or, alternatively, on which third party it should rely for the appropriate "certificate."

PolicyMaker is now being used to manage trust in several applications, including email, electronic licensing, and Internet content-labelling.

[BFL] M. Blaze, J. Feigenbaum, and J. Lacy, "Decentralized Trust Management," IEEE Symposium on Security and Privacy, Oakland CA, May 1996.

For more information, contact: {mab,jf,lacy}@research.att.com.