Regulating e-commerce through certified contracts

18th Annual Computer Security Applications Conference, 2002. Proceedings. Pub Date : 2002-12-09 DOI:10.1109/CSAC.2002.1176276

V. Ungureanu

{"title":"Regulating e-commerce through certified contracts","authors":"V. Ungureanu","doi":"10.1109/CSAC.2002.1176276","DOIUrl":null,"url":null,"abstract":"Access control has traditionally assumed a single, monolithic authorization policy, generally expressed as an access matrix. We argue that this assumption does not fit e-commerce applications, which are governed by a potentially large set of independently stated, evolving contracts. In order to support this growing class of applications we propose an enforcement mechanism which uses certified-contracts as authorization policies. A certified-contract is obtained: (a) by expressing contract terms in a formal, interpretable language, and (b) by having it digitally signed by a trusted principal. We show that this approach would make dissemination, revision, and annulment of contracts more manageable and more efficient. We propose a language for stating contract terms, and present several formal examples of certified contracts. We describe the implementation of the enforcement mechanism, which can be used as an extension to a Web server or as a separate server with interface to application. The proposed model does not require any modification of the current certificate infrastructure, and only minor modifications to servers.","PeriodicalId":389487,"journal":{"name":"18th Annual Computer Security Applications Conference, 2002. Proceedings.","volume":"42 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2002-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"18th Annual Computer Security Applications Conference, 2002. Proceedings.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSAC.2002.1176276","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

Access control has traditionally assumed a single, monolithic authorization policy, generally expressed as an access matrix. We argue that this assumption does not fit e-commerce applications, which are governed by a potentially large set of independently stated, evolving contracts. In order to support this growing class of applications we propose an enforcement mechanism which uses certified-contracts as authorization policies. A certified-contract is obtained: (a) by expressing contract terms in a formal, interpretable language, and (b) by having it digitally signed by a trusted principal. We show that this approach would make dissemination, revision, and annulment of contracts more manageable and more efficient. We propose a language for stating contract terms, and present several formal examples of certified contracts. We describe the implementation of the enforcement mechanism, which can be used as an extension to a Web server or as a separate server with interface to application. The proposed model does not require any modification of the current certificate infrastructure, and only minor modifications to servers.

查看原文本刊更多论文

通过认证合同规范电子商务

访问控制传统上采用单一的、整体的授权策略，通常表示为访问矩阵。我们认为这种假设不适合电子商务应用程序，因为电子商务应用程序由一组潜在的、独立声明的、不断发展的合同管理。为了支持这类不断增长的应用程序，我们提出了一种使用认证契约作为授权策略的强制机制。获得经认证的合同:(A)通过用正式的、可解释的语言表达合同条款，以及(b)通过由可信主体对其进行数字签名。我们表明，这种方法将使合同的传播、修订和取消更易于管理和更有效。我们提出了一种表述合同条款的语言，并提出了几个正式的认证合同的例子。我们描述了强制机制的实现，该机制可以用作Web服务器的扩展，也可以用作具有应用程序接口的单独服务器。所建议的模型不需要对当前的证书基础结构进行任何修改，只需要对服务器进行微小的修改。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

18th Annual Computer Security Applications Conference, 2002. Proceedings.

自引率

0.00%

发文量