1. The Traust Authorization Service A. Lee, M. Winslett, J. Basney, and V. Welch University of Illinois at Urbana-Champaign www.iti.uiuc.edu Goal: A scalable means of access control for resources shared across organizational boundaries, supporting:  bilateral trust establishment,  run-time access control policy discovery,  client and resource privacy, and  legacy and trust-aware resources. Trust-Aware Scenario: Tight binding of Traust and GridFTP using embedded access hints Legacy Scenario: Loose binding of Traust and web site Design: Traust utilizes the TrustBuilder framework for automated trust negotiation to conduct trust negotiation sessions within the TLS protocol. Usage Scenarios:  (1) TN to Protect Sensitive Resource Request (3) TN to Determine Client Authorization (4) Credential(s) Needed to Access Resource (2) Resource Request TLS Tunnel Alice Traust Service The iterative nature of automated trust negotiation allows resource access policies to be discovered incrementally, disclosing more of the relevant policies as the trust between the client and Traust service grows. The bilateral nature of automated trust negotiation allows Alice to protect her sensitive credentials with access policies that the Traust service must satisfy prior to their disclosure. After Alice discloses enough credentials to satisfy the resource access policy, the Traust server issues her one or more credentials that she can use to access the requested resource. These credentials could be (but are not limited to) username/password pairs, X.509 certificates, SAML assertions, or Kerberos tickets. Clients can enable local classifiers and heuristics to identify potentially sensitive resource requests. Content-triggered trust negotiation for sensitive resource requests can prevent inadvertent disclosure of those requests to imposters posing as the Traust Server. Client Features: User-defined sensitivity levels Open API for request classification subsystem Credential caching Server Features: No limits on size of protection domain (e.g., single host or large enterprise) Can provide both static and dynamically acquired credentials (1) User visits web site (2) Site provides an access hint to the user; User then invokes her Traust client application Traust Service (3) Traust used to obtain one-time use password (4) Log in Alice Future Directions: Remotely accessible Traust user agents Secure client-side credential caching policies Multi-party negotiations Negotiation-level credential location hints bigstorage.com domain gridftp.bigstorage.com traust.bigstorage.com Alice GridFTP Client Application (1) Log in request (2) cd earthquake (1a) Query for Traust server info (1b) Traust server info (1c) Use Traust to obtain login credentials (1d) Log in (2a) cd earthquake (2b) failure with embedded access hint (2c) Use Traust to pursue access hint; new access credential issued (2d) re-authenticate (2e) cd earthquake Scenario Notes: Client application interfaces with local Traust client process Access hints embedded at the application protocol level In GridFTP, access hints and re- authentication can be used to enforce least-privilege by changing Alice’s protection level as she traverses the file system Approach: Design a service that uses automated trust negotiation to map sets of attestations issued by well-known external entities into locally-meaningful access credentials.