|摘要: ||自動信任協商(Automated Trust Negotiation)被提出以用於分散式系統架構之下進行存取控制以及認證之問題，其中心訴求是為了實現在多個虛擬組織之間的資源共享和協同運算，需要透過一種快速、有效的機制替數目龐大、動態分散的個體或組織之間建立信任關係，而服務之間的信任關係常常是動態建立、調整，需要依靠協商方式達成協同或資源共享的目的，並能維護服務的自制性、隱私性等安全需要。通訊雙方於協商過程中會透過指定的存取控制政策(Access Control Policy)來互相描述對方必須滿足的特徵，特徵通常是由憑據(Credential)構成，透過一連串的互相描述以及滿足，最後建立信任關係。|
Automated trust negotiation is proposed to be used under the framework of distributed systems for the issues of access control and authentication. The most important demand is to achieve more resource sharing and collaborative computing between many virtual organizations. In order to implement the requirement, we need a fast and effective mechanism for the large number of dynamically distributed individuals or organizations to establish trust; in addition, the trust relationship between many network services often dynamically establish and adjust, so we need to rely on negotiation to achieve the purpose of collaboration or resource sharing and also can make maintenance of self-control, privacy and other security issues. Communicating parties in the negotiation process describe each other''s characteristics that should be satisfied through the specified access control policies, and the characteristics usually consist of credentials. Via a series of descriptions and fulfillments, finally the two parties establish a mutual trust relationship.
So far, the research of automated trust negotiation interests include infrastructure, access control policy and credentials, negotiation strategies, negotiation protocol, negotiation systems…etc., this article focuses on the research about the assignments of access control policies and the processes of negotiation strategies in the trust negotiation. Access control policies are assigned to regulate credentials that should be satisfied while accessing protected resources; however, in order to avoid that the policy consistency checking mechanism is too complex in the cross-region, it is necessary to make reasonable constraints for policy assignments. Nevertheless, it cannot really concretely assign policies for all the resources only through setting up the policy requirements and representing the policy format, and authority should be also considered in policy assignments. To make the automated trust negotiation be more specific implementation, this paper proposed proprietary and concrete policy assignments and implement them with the concept "classification authority".
On the other hand, in order to make the process of establishing trust rationalization, a specific negotiation strategy will be proposed. In the past, a variety of proposed negotiation strategies had their own demands, but there are still several flaws for the design of the operation. For example, the Eager strategy, it has high efficiency, but the reason that it has disclosed irrelevant credentials in the handshake mechanism results in a poor security; the PRUNES, it has high security defense, but it makes low negotiation efficiency based on the concept of backtracking. In this paper, we retain the advantages of each of the negotiation strategy and try to integrate a hybrid negotiation strategy. Based on Parsimonious strategy, we have made a binding using the features of Eager and PRUNES strategies; in addition, we add iteration computing to improve the negotiation efficiency. In the experimental results, we have proved that the proposed hybrid negotiation strategy does take into account the performance and security.