Managing Trust in an Information-Labeling System


Authors: M. Blaze (1), J. Feigenbaum (1), P. Resnick (1), M. Strauss (2)
1. AT&T Laboratories
2. AT&T Laboratories and Iowa State University
Abstract: Rapid growth in the Internet has focussed attention on a problem common to every medium that serves large and diverse audiences: Not all material is suitable for all audience members. Traditionally, broadcast media such as television and radio have been subject to more restrictions than print media, for exactly this reason. The PICS information-labeling system [RM] provides a flexible approach to filtering information at the point of reception rather than at the point of distribution, thus holding out the possibility of avoiding government censorship in the process of controlling access to information on the Internet. The success of PICS (Platform for Internet Content Selection) as an approach to access control requires a mechanism for trust management.

The PICS approach stipulates that documents will have labels, formatted in a uniform way specified in the PICS standard, that describe relevant aspects of their contents. For example, the RSAC (Recreational Software Advisory Council) scheme assigns four numbers to a document, in an attempt to indicate how much sex, nudity, violence, or potentially offensive language the document contains. Other schemes may label documents according to entirely different criteria, e.g., whether they contain material in specific topical areas. PICS-compliant client software will examine the label(s) on a document and decide whether the document satisfies all of the requirements specified in the local "PICS profile" or access policy. For example, a profile might state "Viewing is allowed if the document is labeled two or less on the violence scale, and the label is certified as accurate by GoodHousekeeping." Crucial trust management questions thus include "how are access policies expressed?" and "whom does a given recipient trust to label documents?"

This paper shows how to use the PolicyMaker system [BFL] to solve the trust management problem in PICS. Although PolicyMaker was originally designed to address trust management problems in network services that process signed requests for action and use public-key cryptography, it is applicable mutatis mutandis to the trust management problem for information-labeling. The question "is the key used to sign this request authorized to take this action?" corresponds to "do the labels on this document satisfy the viewing requirements of this viewer?" Similarly, the local policy that "I trust this certifying authority to authorize keys for this category of actions" is the analog of "I trust this rating authority to label documents in this category." This unforeseen use of the PolicyMaker framework is evidence of the framework's power and adaptability.

[BFL] M. Blaze, J. Feigenbaum, and J. Lacy, "Decentralized Trust Management," IEEE Symposium on Security and Privacy, Oakland CA, May 1996.

[RM] P. Resnick and J. Miller, "PICS: Internet Access Controls Without Censorship," Communications of the ACM, October 1996.

For more information, contact: mstrauss@research.att.com