Page 60 - Trust in ICT 2017
P. 60

1                                                    Trust in ICT


            6.6     Trust Provisioning for Services and Applications

            The entities participating in an ICT service platform need to establish and manage trust relationships in order
            to assert different trust aspects including identity provisioning, privacy enforcement, and context information
            provisioning. Current trust management models address these trust aspects individually when in fact they
            are dependent on each other.

            Identity Provisioning
            One metric that influences the identity provisioning trust is the authentication method. Identity providers
            that  use  very  strong  biometric  authentication  should  be  more  trusted  than  others  that  use  only
            username/password authentication. It is also possible to associate the identity provisioning trust value with
            a specific session, according to the type of authentication used for that session, in case the identity provider
            supports more than one type of authentication method. The user registration policy also influences the
            identity provisioning trust. Identity providers that allow users to freely register without verifying the identity
            of the user (e.g. Google and Yahoo) may not be trusted as much as identity providers that do not allow free
            registration, such as a university or a bank.
            Privacy Enforcement

            Trust in privacy enforcement depends upon the existence of privacy policies in the context provider and
            service provider, which state how the context owner’s data will be handled. These privacy policies should be
            compared with the context owner’s privacy preferences and, in case they match, it is assumed that the
            privacy expectations will be followed. The following metrics have also been proposed to calculate trust values
            regarding  privacy enforcement  aspects:  user  interest  in  sharing,  confidentiality  level of  the  information,
            number of positive previous experiences, number of arbitrary hops, a priori probability of distrusting, and
            service popularity in search engines. The number of arbitrary hops is related with identities issues and the
            chain of certificate authorities between the source and the target of the information. Privacy enforcement
            trust values can be also obtained from trusted third parties specialized in privacy protection issues. Privacy
            protection organizations take care of privacy policies certification in the same way identities are certified
            today by certification authorities. It is noted that privacy recommendations will be provided by informal
            organizations such as virtual users’ communities and customer protection organizations.

            Context Information Provisioning
            The trust in the context providers can be evaluated, for example, through cryptographic mechanisms based
            on Public  Key  Infrastructure  (PKI,  identity coupled) and  through  the  following  metrics  and mechanisms:
            reputation of context provider, statistical analysis of context information provided from the source, and
            context  aggregators  that  compare  redundant  information  from  different  sources  in  order  to  increase
            trustworthiness.  It  is  also  possible  to  evaluate  the  trust  of  the  context  information  based  in  the
            trustworthiness of the quality aspects of one particular instance of context, or in the method used to obtain
            the information. One example is location information, which trustworthiness may vary depending on how
            the information is obtained: from outlook calendars, user personal GPS position, or position of the GSM/WiFi
            base station to which the user is connected.
            ICT service platform is typically a distributed system without a unique central point of control. In such a
            system, in some cases implemented in a fully adhoc configuration, multiple administrative domains may
            exist. To illustrate this, consider a weather service which provides for mobile phone users the local weather
            forecast  based  on  the  latitude/longitude  of  the  GSM  cell  they  are  in.  In  this  case,  the  weather  service
            provider, the mobile phone operator, and the user personal devices are examples of different administrative
            domains controlled by different administrative entities.
            In this multi administrative domain scenario it is not possible to have a centralized trust provider responsible
            for the management of all trust relationships due to privacy and scalability reasons. In order to support
            distributed  management  of  trust  it  is  designed  a  distributed  trust  management  architecture,  which  is
            presented in Figure 9 [42].






            52
   55   56   57   58   59   60   61   62   63   64   65