I’m proposing to build an authentication tool based on semantic web. Instead of the traditional form of authentication by identity, the tool will make use of meta-data to make decisions too. For example, X can access to Y’s medical file if X is a physician of Y. Suppose Y has switched doctor, then X should have no access to it. Things that I’m taking into consideration, include trust networks, ontology to describe authentication information.
Authentication is used for identification of individuals. In a typical scenario, a principal, A, will want to prove its identity to an authenticator, B. A common way to authenticate is the use of Public Key Infrastructure(PKI), where each entity owns a pair of public key and private key. The public key is published while the private key is kept secret. Hence, public key authentication works by having A to prove its identity through demonstrating the use of the private key. Since only A knows its own private key, the principal who demonstrates the use of that private key must be A.
Another concept that is closely related to authentication is access control. Access control determines which entity is able to access some protected resources, such as files or access to a system. Access control is often identity based. That is to gain access to a resource, an entity will have to prove its identity by authentication.
Consider this scenario. A professor provides solutions to homework assignment. To avoid students from other institutions from downloading them, he may only want registered students to have access to the file.
The problem with identity based access control is that the owner of a resource will have to explicitely grant the access to each individual. For example, the access control list in unix.
Semantic web has opened up a different way of doing access control. Instead of describing access control to each individual, we can describe access control as a set of conditions. In the above scenario, the condition would be for the entity who wishes to access the file to prove that he/she is a currently registered student.
So the problem of authentication now is to extend the classical authentication of proving one's identity, to show that this identity actually satisfy the access conditions.
To verify the credentials, the authenticator will first verify the signature on the credential. Then it will determine what type of credential is used. The authenticator can give a weight to different types of acceptable credential. The weights can range from 0 to 1. With 0 representing totally unacceptable credential and 1 is a totally acceptable credential. For the above example, there is a weight, w1, associated with the RDF statement, stating that X is a registered student of Y, and another weight, w2 associated with the graded assignment.
A trust value is also attached to the entity that signs on the credential. The trust value ranges from 0 to 1, with 0 means absolutely distrust and 1 means absolute trust. Suppose the owner of the resource assigns trust value t1 to the entity that signs on the RDF statement and t2 to the entity that signs on the graded assignment. To determine whether to trust a credential, we multiply the weight of the credential by the trust value of the entity signing on it. Hence, the RDF statement will have a rating of w1*t1 and the graded assignment has a rating of w2*t2. The authenticator may grant access if the rating of the credential exceeds a certain threshold. It may be possible for an entity to supply more than 1 credentials. In this case, the average is computed. In the above scenario, if both the RDF statement and graded assignment is provided, then the overall rating would be (w1*t1+w2*t2)/2 .
Some credentials may be time sensitive. For example, the RDF statement X is a registered student of Y is no longer valid the moment X drops the course or when the semester ends. Hence X should not be able to access the solutions for future semesters.
To address the timeliness of credentials, time sensitive credential can include a time stamp. The time stamp will indicate the time the credential is created. Weights assignment can vary according to the time stamp. The expiry date may also be included.
In the RDF statement scenario, a time stamp may indicate when the credential is created and the expiry date is set to be the end of the semester. The weights assigned to it may decay as a function of time. Hence towards the middle of a semester, using the RDF statement alone may not provide a good enough rating for access to be granted and the entity will have to demonstrate a stronger credential in the form of recent assignment. Alternatively, the authenticator may contact the registrar to verify that the credential is still valid. However we leave the weight assignment rules to the administrator to decide.
The problem is that transmissions of credentials over the network can be intercepted by anyone monitoring the network. Hence it is required that the entity that submits the credentials to prove that they own the credentials.
Credential Ownership may be stated explicitly or implicitly. For example, the graded assignment may state explicitly that the is X's graded assignment, while the RDF statement stating that X is a registered student of Y implicitly implies that X should own this credential. In implicit cases, the authenticator will need to infer from the RDF statement to find out the owner. However, this can be difficult, if the credentials contain multiple statements. So in such cases, we strongly recommend to state ownership explicitly.
Once the owner of the crendentials is established, the authenticator will require the entity that submits the credential to prove that it owns the credential. This can be simply done by using classical authentication methods. The authenticator can generate a random string for the entity to sign. The signature on the random string will demonstrate the entity's knowledge of the private key.
Credentials is a sample of how we can write a credential. The access conditions are stated in access.txt and trust.txt keeps a list of identities whose signature to trust.