Trust but verify: accountability for network services

Abstract

This paper promotes accountability as a central design goal for dependable networked systems. We define three properties for accountable systems that extend beyond the basic security properties of authentication, privacy, and integrity. These accountability properties reduce the vulnerability of network services to subversion, tampering, corruption, and abuse. For example, actions taken in accountable systems and their clients are provable or even legally binding, to support contractual relationships in federated systems.We propose a framework for accountable network services, and explore its applicability and limitations. The foundation of our approach is to preserve digitally signed records of actions and/or internal state snapshots of each service, and use them to detect tampering, verify the consistency of actions and behavior, and prove responsibility for unexpected states or actions. We outline the key challenges in generalizing the principles and methodology of accountable design for practical use.