Assigning responsibility for failed obligations

Keith Irwin; Ting Yu; William H. Winsborough

doi:10.1007/978-0-387-09428-1_21

Assigning responsibility for failed obligations

Keith Irwin^*, Ting Yu, William H. Winsborough

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

10 Citations (Scopus)

Abstract

Traditional security policies largely focus on access control. Though essential, access control is only one aspect of security. In particular, the correct behavior and reliable operation of a system depends not only on what users are permitted to do, but oftentimes on what users are required to do. Such obligatory actions are integral to the security procedures of many enterprises. Unlike access control, obligations assigned to individual users are often unenforceable, that is, the system cannot ensure that each obligation will be fulfilled. Accurately determining who was at fault when obligations are not met is essential for responding appropriately, be it in terms of modified trust relationships or other recourse. In this paper, based on a formal metamodel of obligations, we propose an approach for fault assessment through active online tracking of responsibilities and dependencies between obligations.We identify and formalize two key properties for the correct assessment of fault, and design responsibility assignment and fault assessment algorithms for a concrete yet general access control and obligation system.

Original language	English
Title of host publication	Trust Management II
Subtitle of host publication	Proceedings of IFIPTM 2008: Joint iTrust and PST Conferences on Privacy, Trust Management and Security
Editors	Yücel Karabulut, Mitchell Mitchell, Peter Herrmann, Christian Damsgaard Jensen
Pages	327-342
Number of pages	16
DOIs	https://doi.org/10.1007/978-0-387-09428-1_21
Publication status	Published - 2008
Externally published	Yes

Publication series

Name	IFIP International Federation for Information Processing
Volume	263
ISSN (Print)	1571-5736

Access to Document

10.1007/978-0-387-09428-1_21

Cite this

Irwin, K., Yu, T., & Winsborough, W. H. (2008). Assigning responsibility for failed obligations. In Y. Karabulut, M. Mitchell, P. Herrmann, & C. D. Jensen (Eds.), Trust Management II: Proceedings of IFIPTM 2008: Joint iTrust and PST Conferences on Privacy, Trust Management and Security (pp. 327-342). (IFIP International Federation for Information Processing; Vol. 263). https://doi.org/10.1007/978-0-387-09428-1_21

Irwin, Keith ; Yu, Ting ; Winsborough, William H. / Assigning responsibility for failed obligations. Trust Management II: Proceedings of IFIPTM 2008: Joint iTrust and PST Conferences on Privacy, Trust Management and Security. editor / Yücel Karabulut ; Mitchell Mitchell ; Peter Herrmann ; Christian Damsgaard Jensen. 2008. pp. 327-342 (IFIP International Federation for Information Processing).

@inproceedings{1d86a86e64b646d7af08333af87f15d5,

title = "Assigning responsibility for failed obligations",

abstract = "Traditional security policies largely focus on access control. Though essential, access control is only one aspect of security. In particular, the correct behavior and reliable operation of a system depends not only on what users are permitted to do, but oftentimes on what users are required to do. Such obligatory actions are integral to the security procedures of many enterprises. Unlike access control, obligations assigned to individual users are often unenforceable, that is, the system cannot ensure that each obligation will be fulfilled. Accurately determining who was at fault when obligations are not met is essential for responding appropriately, be it in terms of modified trust relationships or other recourse. In this paper, based on a formal metamodel of obligations, we propose an approach for fault assessment through active online tracking of responsibilities and dependencies between obligations.We identify and formalize two key properties for the correct assessment of fault, and design responsibility assignment and fault assessment algorithms for a concrete yet general access control and obligation system.",

author = "Keith Irwin and Ting Yu and Winsborough, {William H.}",

year = "2008",

doi = "10.1007/978-0-387-09428-1_21",

language = "English",

isbn = "9780387094274",

series = "IFIP International Federation for Information Processing",

pages = "327--342",

editor = "Y{\"u}cel Karabulut and Mitchell Mitchell and Peter Herrmann and Jensen, {Christian Damsgaard}",

booktitle = "Trust Management II",

}

Irwin, K, Yu, T & Winsborough, WH 2008, Assigning responsibility for failed obligations. in Y Karabulut, M Mitchell, P Herrmann & CD Jensen (eds), Trust Management II: Proceedings of IFIPTM 2008: Joint iTrust and PST Conferences on Privacy, Trust Management and Security. IFIP International Federation for Information Processing, vol. 263, pp. 327-342. https://doi.org/10.1007/978-0-387-09428-1_21

Assigning responsibility for failed obligations. / Irwin, Keith; Yu, Ting; Winsborough, William H.
Trust Management II: Proceedings of IFIPTM 2008: Joint iTrust and PST Conferences on Privacy, Trust Management and Security. ed. / Yücel Karabulut; Mitchell Mitchell; Peter Herrmann; Christian Damsgaard Jensen. 2008. p. 327-342 (IFIP International Federation for Information Processing; Vol. 263).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Assigning responsibility for failed obligations

AU - Irwin, Keith

AU - Yu, Ting

AU - Winsborough, William H.

PY - 2008

Y1 - 2008

N2 - Traditional security policies largely focus on access control. Though essential, access control is only one aspect of security. In particular, the correct behavior and reliable operation of a system depends not only on what users are permitted to do, but oftentimes on what users are required to do. Such obligatory actions are integral to the security procedures of many enterprises. Unlike access control, obligations assigned to individual users are often unenforceable, that is, the system cannot ensure that each obligation will be fulfilled. Accurately determining who was at fault when obligations are not met is essential for responding appropriately, be it in terms of modified trust relationships or other recourse. In this paper, based on a formal metamodel of obligations, we propose an approach for fault assessment through active online tracking of responsibilities and dependencies between obligations.We identify and formalize two key properties for the correct assessment of fault, and design responsibility assignment and fault assessment algorithms for a concrete yet general access control and obligation system.

AB - Traditional security policies largely focus on access control. Though essential, access control is only one aspect of security. In particular, the correct behavior and reliable operation of a system depends not only on what users are permitted to do, but oftentimes on what users are required to do. Such obligatory actions are integral to the security procedures of many enterprises. Unlike access control, obligations assigned to individual users are often unenforceable, that is, the system cannot ensure that each obligation will be fulfilled. Accurately determining who was at fault when obligations are not met is essential for responding appropriately, be it in terms of modified trust relationships or other recourse. In this paper, based on a formal metamodel of obligations, we propose an approach for fault assessment through active online tracking of responsibilities and dependencies between obligations.We identify and formalize two key properties for the correct assessment of fault, and design responsibility assignment and fault assessment algorithms for a concrete yet general access control and obligation system.

UR - http://www.scopus.com/inward/record.url?scp=44149127452&partnerID=8YFLogxK

U2 - 10.1007/978-0-387-09428-1_21

DO - 10.1007/978-0-387-09428-1_21

M3 - Conference contribution

AN - SCOPUS:44149127452

SN - 9780387094274

T3 - IFIP International Federation for Information Processing

SP - 327

EP - 342

BT - Trust Management II

A2 - Karabulut, Yücel

A2 - Mitchell, Mitchell

A2 - Herrmann, Peter

A2 - Jensen, Christian Damsgaard

ER -

Irwin K, Yu T, Winsborough WH. Assigning responsibility for failed obligations. In Karabulut Y, Mitchell M, Herrmann P, Jensen CD, editors, Trust Management II: Proceedings of IFIPTM 2008: Joint iTrust and PST Conferences on Privacy, Trust Management and Security. 2008. p. 327-342. (IFIP International Federation for Information Processing). doi: 10.1007/978-0-387-09428-1_21

Assigning responsibility for failed obligations

Abstract

Publication series

Access to Document

Other files and links

Fingerprint

Cite this