Ontology for Mapping Platform Configuration in Security Properties

Summary

E-commerce transactions use client server applications that involve a service requestor and one or more service providers. To obtain assurance that the transaction is secure, the following security operations must be performed: (1) Determination of endpoint (especially service provider) identity (2) Establishment of secure channels to protect the communication between the end point processes and (3) Verification of the integrity of the application and the platform providing the services. While standardized protocols such as SSL (supported by PKI certificates) and IPSec exist for security operations (1) and (2), there are no established processes for defining and verifying the integrity of remote systems and processes that participate in a given service scenario/context. Verifying the integrity of the remote platforms/applications to ensure that they have not been tampered with and can be trusted to protect sensitive information is practically hard due to the following technical bottlenecks: (1) the service requestor or verifier (on any application acting on its behalf) must know the trusted or secure configurations for all platforms/applications which is not feasible (2) there is no guarantee that the presence of secure configuration in a given remote platform/application will translate to satisfaction of security properties required for the given transaction and (3) platform configuration data are at too fine a level of granularity to be handled by most transaction monitors (the software module in charge of managing the transaction).