Abstract

To date, "World Wide Web Security" has been publicly associated with debates over cryptographic technology, protocols, and public policy. This narrow focus can obscure the wider challenge of building trusted Web applications. Since the Web aims to be an information space that reflects not just human knowledge but also human relationships, it will soon reflect the full complexity of trust relationships among people, computers, and organizations. Within the computer security community, Trust Management has emerged as a new philosophy for protecting open, decentralized systems, in contrast to traditional tools for securing closed systems. Trust Management is an essential approach, because the Web crosses many trust boundaries that old-school computer security cannot even begin to handle. In this paper, we consider how this philosophy could be applied to the Web. We introduce the fundamental principles, principals, and policies of Trust Management, as well as Web-specific pragmatic issues. In so doing, we develop a taxonomy for how trust assertions can be specified, justified, and validated. We demonstrate the value of this framework by considering the trust questions faced by the designers of applications for secure document distribution, content filtering, electronic commerce, and downloadable-code systems. We conclude by sketching the limits to automatable Trust Management, demonstrating how trust on the Web will adapt to the trust rules of human communities and vice versa.

Links and resources

Tags

community

  • @dawinci
  • @gwpl
@dawinci's tags highlighted