Security Protocols

We present a new way to deal with security policy on the web. Our aim is to let people build integrated publishing and e-commerce services using appropriate, simple and uniform mechanisms. Our goal is a single framework that applies equally to the publication of catalogues, music, software, public key certificates and even old fashioned books. Our prototype framework, Jikzi, supports multiple security policies – even in the same document – with a single transparent markup language. Historically, most computer security research was motivated by military concerns; most papers deal with confidentiality, some with authentication. But the emphasis in commerce is on integrity, availability and accountability; confidentiality is often not a major concern at all. This motivates us to take a fresh look at the foundations of our discipline, and revisit not just security policy models but also the authentication and integrity mechanisms we use. The growing importance of XML may simplify much; if it is adopted as widely as some expect, then everything from digital certificate formats through legacy multilevel secure systems will also be up for review. We believe our prototype system indicates a fruitful alternative approach.