1

Using Certified Policies to Regulate E-Commerce Transactions

Victoria UngureanuRutgers University

2

The Problem

Ensuring that actions of agents involved in e-commerce conform with a-priori established

contracts. A contract example:

An airline company, say FlyAway, agrees to sell discounted tickets to a travel company, say TravelRUS, subject to the following provisions:

The purchases are to be made between January 1 2005 and June 30 2005;

The price of each ticket is discounted by 10%; Only agents duly certified as travel agents may buy

tickets at discounted prices.

3

The Problem (cont.)

An enterprise is bound by a potentially large number of disparate contracts: Ex: Wall-Mart, Ford, Daimler-Chrysler, GM have in

excess of 20,000 suppliers operating under different contracts;

New contracts are continuously being established, and previously established contracts end.

A contract has a limited, predefined validity period.

4

The Problem (cont.)

Contracts may be annulled for various reasons For example: the travel agency is bankrupt.

Contracts may be revised For example: the travel agency establishes a new certifying

authority which issues certificates for sale representatives;

Contracts may be stateful: Examples of stateful contract provisions:

Only a limited number of tickets, say 100, may be purchased at the discounted price.

FlyAway accepts reservations. A PO for a reserved ticket is honored only if made within 24 hours from the reservation.

5

The Problem (cont.)

Need to support a large set of autonomous, evolving and stateful contracts.

Current access control mechanisms deal mostly with monolithic, relatively stable, stateless policies.

6

Traditional Approaches

Have a dedicated server for each contract: Problematic, if the number of contracts is large

Combine all contracts in a super policy: The super policy is difficult to construct if the

number of contracts is large; The super policy needs to change every time a new

contract is established, or a contract ends; The super policy needs to change when a contract is

anulled or revised.

7

Overview

Motivation Certificates Certified policies The enforcement mechanism Conclusion

8

A Necessary Parenthesis: Certificates

Are used to prove certain attributes regarding the owner: Ex: the owner is John Doe, and he is employed by

TravelRus, and he is a travel agent;

Are signed by a certification authority; Are presented by the owner to gain certain

rights Are valid for a limited time period; May be revoked for various reasons;

9

Certificate-based Authorization

server

requestcertificatesgranted

denied

Policy

Alice

request

certificat

es

Eve

10

Contract Enforcement Idea: a client presents the policy embedding

contract terms together with other credentials.

server

granted

deniedreque

st

certificatesPolicy

certificates

requestPolicy

11

Certified Policies (CPs)

Are obtained by:

expressing contract terms in a formal, interpretable language;

certifying the contract terms, by signing them by an authority, trusted by the parties involved in the contract.

Advantages: no need for composing a super policy, nor for

establishing a dedicated server for each contract;

12

The Elements of a Certified Policy

Id Validity period Revocation server Version number Repository Initial control state State server Rules formalizing contract terms

regarding access and control regulations

13

Deployment of Certified Policies

Traditional certificates are maintained by repositories;

Similarly, an enterprise can: Express the contracts it is involved in as

certified policies; Store certified policies on designated

repositories, from where agents may retrieve them as needed.

14

Contract Annulment and Revision

If a contract is annulled, the corresponding CP should be invalidated

CP invalidation may be modeled by certificate revocation;

If contract terms need to be revised this can be achieved simply by: revoking the obsolete version of the corresponding

CP, deploying the new version of the CP on a repository

15

System Architecture

Assumes the following trusted entities: Repositories: provide persistent storage for CPs Revocation servers: maintain and disseminate

revocation information; Application servers:

Each server has an associated policy engine, called observer;

Observers verify certificates and interpret and carry out the rules of a CP;

A server is trusted to serve only requests sanctioned by its associated observer.

State servers: maintain the current value of contract states.

16

Enforcement of Certified Policies

application serverrevocation server

observer

request, subject-certificate(s), CP

repository

state server

17

Cluster-based Application Servers

Application servers often use cluster architectures in order to handle effectively high volume traffic.

Cluster-based servers consists of a dispatcher and several back-end servers;

dispatcher

back-endserver

back-endserver

back-endserver

18

Effective Assignment Policies for Cluster-based Servers

The problem: short waiting periods for clients. A (first) solution: the TDA (Type Dependent

Assignment) policy

In broad outline, under TDA: A back-end server acts as state server for a

set of CPs; The dispatcher assigns:

a request governed by a stateful CP to the back-end server that maintains the state of the CP.

a request governed by a stateless CP to the least loaded back-end server.

19

TDA’s Performance Gauged by running a

simulation study driven by empirical data:

compares TDA with Least-Connected policy;

performance metric used by the study is waiting time.

The simulation models: 4 back-end servers 100 contracts uses a trace containing

~170,000 requests arriving over 200 second

considers that 80% of requests are governed by stateful contracts

TDA outperforms Least-Connected by a factor of 4!

20

Conclusion

Policy management operations are easy to perform: Deployment: simply store CPs on appropriate

repositories. Annulment: revoke the corresponding CP; Update: revoke the previous version and deploy the

new one

Easy to deploy: Uses an infrastructure already in place Requires no modifications to the infrastructure, and

only minimal modifications to application servers;

Efficient enforcement.

21

The papers discussing some of these topics appeared in: IEEE Cluster, December 2003; ACM Transactions on Internet

Technologies, February 2005. These papers can be found at:

research.rutgers.edu/~ungurean/

Thanks!

22

Certificate-based Authorization

server

requestcertificatesgranted

denied

request

certificat

es

Policy

Alice

Eve

23

Contract Enforcement

Idea: a client presents the policy embedding contract terms together with other credentials.

server

granted

deniedreque

st

certificates

Policy

certificates

requestPolicy