Using PICS Labels for Trust Management


Rohit Khare
Abstract: As Web and Internet usage expands into new application domains, users need automatable mechanisms to establish trust for information they use. The Platform for Internet Content Selection (PICS) is a scheme for rating and labeling resources that is machine-readable and can accommodate a wide variety of rating schemes. When combined with digital signatures to establish cryptographic authentication, PICS labels could form the basis for user-definable trust policies on the Internet.

PICS allows rating systems to define scales for describing content, and for many rating services to label resources with their evaluations. This allows labels to be provided by authors or by third parties and to be presented with the content or from separate label bureaus. User agents can dynamically construct user interfaces to represent labels and constraints on acceptable ratings. When the resulting decisions are broadened from "show/don't show this page to the user", one can imagine:

        "execute any code from SoftwarePublisher, Inc."
        "execute any code above 3/5 on the InfoWeek quality scale"
        "trust any identity certificate above Class 2 from VeriCert"
        "highlight documents labelled 'true' by their signers"

We present this system in the context of several near-term industrial scenarios: evaluating and executing programs ("applets"), configuring acceptable certification authorities, and distributing signed documents. In each case, PICS offers a flexible, user-configurable mechanism for specific trust management applications.

Open issues to be discussed include:

        Interaction with Public Key Infrastructures
        Cryptographic formats and capabilities
        Evolution of PICS rating syntax (currently rational numbers)
        Embedding PICS labels within certificates (X.509, SDSI)

This talk is based on work done at the World Wide Web Consortium with its Digital Signature Initiative Group and Security Editorial Review Board.

For more information, contact khare@w3.org.