In trust negotiation and other forms of distributed proving, networked entities cooperate to form proofs of authorization that are justified by collections of certified attribute credentials. These attributes may be obtained through interactions with any number of external entities and are collected and validated over an extended period of time. Although these collections of credentials in some ways resemble partial system snapshots, current trust negotiation and distributed proving systems lack the notion of a consistent global state in which the satisfaction of authorization policies should be checked. In this article, we argue that unlike the notions of consistency studied in other areas of distributed computing, the level of consistency required during policy evaluation is predicated solely upon the security requirements of the policy evaluator. As such, there is little incentive for entities to participate in complicated consistency preservation schemes like those used in distributed computing, distributed databases, and distributed shared memory. We go on to show that the most intuitive notion of consistency fails to provide basic safety guarantees under certain circumstances and then propose several more refined notions of consistency that provide stronger safety guarantees. We provide algorithms that allow each of these refined notions of consistency to be attained in practice with minimal overheads and formally prove several security and privacy properties of these algorithms. Lastly, we explore the notion of strategic design trade-offs in the consistency enforcement algorithm space and propose several modifications to the core algorithms presented in this article. These modifications enhance the privacy-preservation or completeness properties of these algorithms without altering the consistency constraints that they enforce.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Sarita V. Adve , Kourosh Gharachorloo, Shared Memory Consistency Models: A Tutorial, Computer, v.29 n.12, p.66-76, December 1996  [doi>10.1109/2.546611]
	2	Babaoğlu, O. and Marzullo, K. 1993. Consistent global states of distributed systems: Fundamental concepts and mechanisms. In Distributed Systems, S. J. Mullender, ed. Addison-Wesley, 55--96. Also available as University of Bologna Tech. rep. UBLCS-93-1 at http://www.cs.unibo.it/pub/TR/UBLCS/1993/93-01.ps.gz.
	3	Lujo Bauer , Scott Garriss , Michael K. Reiter, Distributed Proving in Access-Control Systems, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.81-95, May 08-11, 2005  [doi>10.1109/SP.2005.9]
	4	Cassandra: Distributed Access Control Policies with Tunable Expressiveness, Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, p.159, June 07-09, 2004
	5	Trust-X: A Peer-to-Peer Framework for Trust Establishment, IEEE Transactions on Knowledge and Data Engineering, v.16 n.7, p.827-842, July 2004  [doi>10.1109/TKDE.2004.1318565]
	6	Piero Bonatti , Pierangela Samarati, Regulating service access and information release on the Web, Proceedings of the 7th ACM conference on Computer and communications security, p.134-143, November 01-04, 2000, Athens, Greece  [doi>10.1145/352600.352620]
	7	W. Cellary , E. Gelenbe , T. Morzy, Concurrency control in distributed database systems, Elsevier Science Inc., New York, NY, 1988
	8	K. Mani Chandy , Leslie Lamport, Distributed snapshots: determining global states of distributed systems, ACM Transactions on Computer Systems (TOCS), v.3 n.1, p.63-75, Feb. 1985  [doi>10.1145/214451.214456]
	9	David R. Cheriton , Dale Skeen, Understanding the limitations of causally and totally ordered communication, Proceedings of the fourteenth ACM symposium on Operating systems principles, p.44-57, December 05-08, 1993, Asheville, North Carolina, United States
	10	Housely, R., Ford, W., Polk, W., and Solo, D. 1999. Internet X.509 Public Key Infrastructure Certificate and CRL Profile. IETF Request for Comments RFC-2459.
	11	Keith Irwin , Ting Yu, Preventing attribute information leakage in automated trust negotiation, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA  [doi>10.1145/1102120.1102128]
	12	Koshutanski, H. and Massacci, F. 2005. Interactive credential negotiation for stateful business processes. In Proceedings of the 3rd International Conference on Trust Management (iTrust’05). 257--273.
	13	L. Lamport, Proving the Correctness of Multiprocess Programs, IEEE Transactions on Software Engineering, v.3 n.2, p.125-143, March 1977  [doi>10.1109/TSE.1977.229904]
	14	Leslie Lamport, Time, clocks, and the ordering of events in a distributed system, Communications of the ACM, v.21 n.7, p.558-565, July 1978  [doi>10.1145/359545.359563]
	15	Adam J. Lee , Kazuhiro Minami , Marianne Winslett, Lightweight cnsistency enforcement schemes for distributed proofs with hidden subtrees, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France  [doi>10.1145/1266840.1266856]
	16	Adam J. Lee , Marianne Winslett, Safety and consistency in policy-based authorization systems, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA  [doi>10.1145/1180405.1180422]
	17	Jiangtao Li , Ninghui Li , William H. Winsborough, Automated trust negotiation using cryptographic credentials, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA  [doi>10.1145/1102120.1102129]
	18	Li, N. and Mitchell, J. 2003. RT: A role-based trust-management framework. In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX’03). 201--213.
	19	Ralph Charles Merkle, Secrecy, authentication, and public key systems., Stanford University, Stanford, CA, 1979
	20	D. Mills, Network Time Protocol (Version 3) Specification, Implementation, RFC Editor, 1992
	21	Kazuhiro Minami , David Kotz, Secure context-sensitive authorization, Pervasive and Mobile Computing, v.1 n.1, p.123-156, March 2005  [doi>10.1016/j.pmcj.2005.01.004]
	22	Minami, K. and Kotz, D. 2006. Scalability in a secure distributed proof system. In Proceedings of the 4th International Conference on Pervasive Computing (PERVASIVE’06). 220--237.
	23	M. Myers , R. Ankney , A. Malpani , S. Galperin , C. Adams, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP, RFC Editor, 1999
	24	Andrew S. Tanenbaum , Maarten Van Steen, Distributed Systems: Principles and Paradigms, Prentice Hall PTR, Upper Saddle River, NJ, 2001
	25	N. Li , W. Winsborough, Towards Practical Automated Trust Negotiation, Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02), p.92, June 05-07, 2002
	26	William H. Winsborough , Ninghui Li, Safety in automated trust negotiation, ACM Transactions on Information and System Security (TISSEC), v.9 n.3, p.352-390, August 2006  [doi>10.1145/1178618.1178623]
	27	Marianne Winslett , Ting Yu , Kent E. Seamons , Adam Hess , Jared Jacobson , Ryan Jarvis , Bryan Smith , Lina Yu, Negotiating Trust on the Web, IEEE Internet Computing, v.6 n.6, p.30-37, November 2002  [doi>10.1109/MIC.2002.1067734]
	28	Marianne Winslett , Charles C. Zhang , Piero A. Bonatti, PeerAccess: a logic for distributed authorization, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA  [doi>10.1145/1102120.1102144]
	29	Ting Yu , Marianne Winslett , Kent E. Seamons, Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation, ACM Transactions on Information and System Security (TISSEC), v.6 n.1, p.1-42, February 2003  [doi>10.1145/605434.605435]
	30	Lidong Zhou , Fred B. Schneider , Robbert Van Renesse, COCA: A secure distributed online certification authority, ACM Transactions on Computer Systems (TOCS), v.20 n.4, p.329-368, November 2002  [doi>10.1145/571637.571638]