Abstract
Trust negotiation supports authentication and access
control across multiple security domains by allowing parties
to use non-forgeable digital credentials to establish
trust. By their nature trust negotiation systems are used
in environments that are not always reliable. In particular,
it is important not only to protect negotiations against
malicious attacks, but also against failures and crashes
of the parties or of the communication means. To address
the problem of failures and crashes, we propose
an efficient and secure recovery mechanism. The mechanism
includes two recovery protocols, one for each of the
two main negotiation phases. In fact, because of the requirements
that both services and credentials have to be
protected on the basis of the associated disclosure policies,
most approaches distinguish between a phase of disclosure
policy evaluation from a phase devoted to actual
credentials exchange. We prove that the protocols, besides
being efficient, are secure with respect to integrity,
and confidentiality and are idempotent. To the best of our
knowledge, this is the first effort for achieving robustness
and fault tolerance of trust negotiation systems.