t'iC 2 91991 t'iC 2 91991
`
`
`
`Trust Management for the World Wide Web Trust Management for the World Wide Web
`
`
`
`by by
`
`
`
`Yang-hua Chu Yang-hua Chu
`
`
`Submitted to the Department of Electrical Engineering and Computer Science Submitted to the Department of Electrical Engineering and Computer Science
`
`in Partial Fulfillment of the Requirements for the Degree of in Partial Fulfillment of the Requirements for the Degree of
`
`Master of Engineering in Electrical Engineering and Computer Science Master of Engineering in Electrical Engineering and Computer Science
`
`at the Massachusetts Institute of Technology at the Massachusetts Institute of Technology
`
`
`
`June 13, 1997 June 13, 1997
`
`
`
`Copyright 1997 Yang-hua Chu. All rights reserved. Copyright 1997 Yang-hua Chu. All rights reserved.
`
`
`The author hereby grants to M.I.T. permission to reproduce The author hereby grants to M.I.T. permission to reproduce
`
`distribute publicly paper and electronic copies of this thesis distribute publicly paper and electronic copies of this thesis
`
`and to grant others the rights to do so. and to grant others the rights to do so.
`
`
`
`
`
`
`
`
`
`
`
`Author (cid:9)Author (cid:9)
`
`
`
`Certified by (cid:9)Certified by (cid:9)
`
`
`
`Certified b Certified b
`
`
`
`Accepted by (cid:9)Accepted by (cid:9)
`
`
`
`
`
`
`
`Department of Electrical Engineering and Computer Science Department of Electrical Engineering and Computer Science
`
`
`Dr. Joan Feigenbaum Dr. Joan Feigenbaum
`
`Mehntilrfinrir Consultant, AT&T Labs—Research Mehntilrfinrir Consultant, AT&T Labs—Research
`
`
`
`. (cid:9). (cid:9)
`
`
`
`• (cid:9)• (cid:9)
`
`
`-es S. Miller -es S. Miller
`
`Lecturer Lecturer
`
`
`rromssur ruuiui C. Smith rromssur ruuiui C. Smith
`
`Chairman, Department Committee on Graduate Thesis Chairman, Department Committee on Graduate Thesis
`
`
`
`BC00032396 BC00032396
`
`Blue Coat Systems - Exhibit 1014
`
`0001
`
`

`
`
`
`Trust Management for the World Wide Web Trust Management for the World Wide Web
`
`
`by by
`
`Yang-hua Chu Yang-hua Chu
`
`
`
`Submitted to the Department of Electrical Engineering and Computer Science Submitted to the Department of Electrical Engineering and Computer Science
`
`
`
`June 13,1997 June 13,1997
`
`
`in Partial Fulfillment of the Requirements for the Degree of in Partial Fulfillment of the Requirements for the Degree of
`
`Master of Engineering in Electrical Engineering and Computer Science Master of Engineering in Electrical Engineering and Computer Science
`
`at the Massachusetts Institute of Technology at the Massachusetts Institute of Technology
`
`
`
`ABSTRACT ABSTRACT
`
`
`Digital signatures alone are not sufficient for code signing and other Web applications: Digital signatures alone are not sufficient for code signing and other Web applications:
`
`Signatures can solve the problems of message integrity and authentication, but they do Signatures can solve the problems of message integrity and authentication, but they do
`
`not adequately address more general notions of security and trust. These applications not adequately address more general notions of security and trust. These applications
`
`require not only cryptographic tools for determining authenticity and message integrity require not only cryptographic tools for determining authenticity and message integrity
`
`but also a robust notion of "security policy" and a way to decide whether a request for but also a robust notion of "security policy" and a way to decide whether a request for
`
`action complies with a policy. For example, in a code-signing application, a user's action complies with a policy. For example, in a code-signing application, a user's
`
`security policy must state the properties that the code is required to have in order to be security policy must state the properties that the code is required to have in order to be
`
`considered "safe" in the user's environment. Similarly, the entity signing the code must considered "safe" in the user's environment. Similarly, the entity signing the code must
`
`state precisely what properties he claims the code has. state precisely what properties he claims the code has.
`
`
`My thesis will identify what trust management is in the context of the World Wide Web My thesis will identify what trust management is in the context of the World Wide Web
`
`and propose a general architecture to close the gap between trust and cryptography. I will and propose a general architecture to close the gap between trust and cryptography. I will
`
`describe two specific languages for describing trust policies and a general mechanism for describe two specific languages for describing trust policies and a general mechanism for
`
`evaluating whether a request for action complies with policy. evaluating whether a request for action complies with policy.
`
`
`Title Title
`
`
`Thesis Supervisor Thesis Supervisor
`Affiliation Affiliation
`
`Dr. Joan Feigenbaum Technology Consultant AT&T Labs—Research Dr. Joan Feigenbaum Technology Consultant AT&T Labs—Research
`
`Dr. James S. Miller Dr. James S. Miller
`
`Technology and Technology and
`
`The World Wide Web Consortium, The World Wide Web Consortium,
`
`Society Domain Leader Society Domain Leader
`
`MIT Laboratory for Computer Science MIT Laboratory for Computer Science
`
`
`
`3 3
`
`
`
`BC00032397 BC00032397
`
`Blue Coat Systems - Exhibit 1014
`
`0002
`
`

`
`
`
`ACKNOWLEDGEMENTS ACKNOWLEDGEMENTS
`
`
`First I thank my thesis supervisors, Dr. Joan Feigenbaum and Dr. Jim Miller. They were First I thank my thesis supervisors, Dr. Joan Feigenbaum and Dr. Jim Miller. They were
`
`always ready to give me guidance and support when I encountered problems during my always ready to give me guidance and support when I encountered problems during my
`
`research and thesis writing. They also provided me invaluable opportunities to attend research and thesis writing. They also provided me invaluable opportunities to attend
`
`conferences and give presentations. conferences and give presentations.
`
`I was grateful to work with several talented researchers at AT&T Labs— Research, I was grateful to work with several talented researchers at AT&T Labs— Research,
`
`including Brian LaMacchia, Paul Resnick, and Martin Strauss. We co-developed including Brian LaMacchia, Paul Resnick, and Martin Strauss. We co-developed
`
`REFEREE, which ultimately became the focus of my research and thesis work. Their REFEREE, which ultimately became the focus of my research and thesis work. Their
`
`enthusiasm and devotion to doing research made them inspiring role models. enthusiasm and devotion to doing research made them inspiring role models.
`
`Many thanks to the team members at the World Wide Web Consortium, where I spent the Many thanks to the team members at the World Wide Web Consortium, where I spent the
`
`past year writing my thesis. Special thanks to the T&S team members Eui-suk Chung, past year writing my thesis. Special thanks to the T&S team members Eui-suk Chung,
`
`Philip DesAutels, Rohit Khare, and Joseph Reagle. Their presence and encouragement Philip DesAutels, Rohit Khare, and Joseph Reagle. Their presence and encouragement
`
`make my daily work on the third floor of LCS fun and worthwhile. Special thanks to make my daily work on the third floor of LCS fun and worthwhile. Special thanks to
`
`Philip, whom I spent a great deal of time with in the Digital Signature Initiative project, Philip, whom I spent a great deal of time with in the Digital Signature Initiative project,
`
`and Joseph, who lent me the thesis template. and Joseph, who lent me the thesis template.
`
`Finally I have to thank my personal support team: my mom and dad, my brothers Yung-Finally I have to thank my personal support team: my mom and dad, my brothers Yung-
`
`hua, Ching-hua, and Hao-hua, and my girlfriend Wendy. Although land and sea hua, Ching-hua, and Hao-hua, and my girlfriend Wendy. Although land and sea
`
`separated us most of the time, we were always connected deep in our hearts. Every bit of separated us most of the time, we were always connected deep in our hearts. Every bit of
`
`caring and encouragement was my most precious source of energy. There are no words caring and encouragement was my most precious source of energy. There are no words
`
`that can express my gratitude to them. that can express my gratitude to them.
`
`
`
`5 5
`
`
`
`BC00032398 BC00032398
`
`Blue Coat Systems - Exhibit 1014
`
`0003
`
`

`
`
`
`Table of Contents Table of Contents
`
`
`
`1 INTRODUCTION (cid:9)1 INTRODUCTION (cid:9)
`
`
`
`2 (cid:9)2 (cid:9)
`
`
`
`TRUST MANAGEMENT (cid:9)TRUST MANAGEMENT (cid:9)
`
`
`WHAT IS TRUST MANAGEMENT (cid:9)WHAT IS TRUST MANAGEMENT (cid:9)
`
`2.1 (cid:9)2.1 (cid:9)
`
`TRUST MANAGEMENT INFRASTRUCTURE (cid:9)TRUST MANAGEMENT INFRASTRUCTURE (cid:9)
`
`2.2 (cid:9)2.2 (cid:9)
`
`REVIEW OF EXISTING TRUST SYSTEMS AND PROTOCOLS (cid:9)REVIEW OF EXISTING TRUST SYSTEMS AND PROTOCOLS (cid:9)
`
`2.3 (cid:9)2.3 (cid:9)
`
`2.3.1 (cid:9)2.3.1 (cid:9)
`
`PICS (cid:9)PICS (cid:9)
`
`2.3.2 (cid:9)2.3.2 (cid:9)
`
`X.509 (cid:9)X.509 (cid:9)
`
`2.3.3 (cid:9)2.3.3 (cid:9)
`
`PolicyMaker (cid:9)PolicyMaker (cid:9)
`
`2.3.4 (cid:9)2.3.4 (cid:9)
`
`Microsoft Authenticode (cid:9)Microsoft Authenticode (cid:9)
`
`EXAMPLES OF TRUST MANAGEMENT PROBLEMS IN THE WWW (cid:9)EXAMPLES OF TRUST MANAGEMENT PROBLEMS IN THE WWW (cid:9)
`
`2.4 (cid:9)2.4 (cid:9)
`
`2.4.1 (cid:9)2.4.1 (cid:9)
`
`Code Distribution (cid:9)Code Distribution (cid:9)
`
`2.4.2 (cid:9)2.4.2 (cid:9)
`
`Document Authentication (cid:9)Document Authentication (cid:9)
`
`EXECUTION ENVIRONMENT (cid:9)EXECUTION ENVIRONMENT (cid:9)
`
`
`
`3 (cid:9)3 (cid:9)
`
`
`DESIGN GOAL (cid:9)DESIGN GOAL (cid:9)
`
`3.1 (cid:9)3.1 (cid:9)
`
`3.2 REFEREE (cid:9)3.2 REFEREE (cid:9)
`
`3.3 (cid:9)3.3 (cid:9)
`
`REFEREE INTERNAL ARCHITECTURE (cid:9)REFEREE INTERNAL ARCHITECTURE (cid:9)
`
`REFEREE PRIMITIVE DATA TYPES (cid:9)REFEREE PRIMITIVE DATA TYPES (cid:9)
`
`3.4 (cid:9)3.4 (cid:9)
`
`3.4.1 (cid:9)3.4.1 (cid:9)
`
`Tri-Value (cid:9)Tri-Value (cid:9)
`
`3.4.2 (cid:9)3.4.2 (cid:9)
`
`Statement and Statement-list (cid:9)Statement and Statement-list (cid:9)
`
`Module Databases (cid:9)Module Databases (cid:9)
`
`3.4.3 (cid:9)3.4.3 (cid:9)
`
`BOOTSTRAPPING REFEREE (cid:9)BOOTSTRAPPING REFEREE (cid:9)
`
`3.5 (cid:9)3.5 (cid:9)
`
`QUERYING REFEREE (cid:9)QUERYING REFEREE (cid:9)
`
`3.6 (cid:9)3.6 (cid:9)
`
`
`
`4 (cid:9)4 (cid:9)
`
`
`
`POLICY LANGUAGE (cid:9)POLICY LANGUAGE (cid:9)
`
`
`
`4.1 (cid:9)4.1 (cid:9)
`DESIGN GOALS (cid:9)DESIGN GOALS (cid:9)
`
`4.2 PicsRULZ (cid:9)4.2 PicsRULZ (cid:9)
`
`4.3 PROFILES-0.92 (cid:9)4.3 PROFILES-0.92 (cid:9)
`
`4.4 (cid:9)4.4 (cid:9)
`
`SAMPLE POLICIES (cid:9)SAMPLE POLICIES (cid:9)
`
`4.4.1 (cid:9)4.4.1 (cid:9)
`
`Sample policy 1: determine Access Based on the URL (cid:9)Sample policy 1: determine Access Based on the URL (cid:9)
`
`4.4.2 (cid:9)4.4.2 (cid:9)
`
`Sample policy 2: determine access based on PICS labels (cid:9)Sample policy 2: determine access based on PICS labels (cid:9)
`
`4.4.3 (cid:9)4.4.3 (cid:9)
`
`Sample Policy 3: Determine Access Based on Multiple PICS Labels and Sources (cid:9)Sample Policy 3: Determine Access Based on Multiple PICS Labels and Sources (cid:9)
`
`4.4.4 (cid:9)4.4.4 (cid:9)
`
`Sample Policy 4: Defer Trust Using Extension Mechanism (cid:9)Sample Policy 4: Defer Trust Using Extension Mechanism (cid:9)
`
`REFEREE REFERENCE IMPLEMENTATION (cid:9)REFEREE REFERENCE IMPLEMENTATION (cid:9)
`
`
`
`5 (cid:9)5 (cid:9)
`
`
`5.1 (cid:9)5.1 (cid:9)
`
`JIGSAW PROXY: THE HOST APPLICATION (cid:9)JIGSAW PROXY: THE HOST APPLICATION (cid:9)
`
`5.2 (cid:9)5.2 (cid:9)
`
`REFEREE IN THE JIGSAW PROXY (cid:9)REFEREE IN THE JIGSAW PROXY (cid:9)
`
`THE SCOPE OF THE REFEREE IMPLEMENTATION (cid:9)THE SCOPE OF THE REFEREE IMPLEMENTATION (cid:9)
`
`5.3 (cid:9)5.3 (cid:9)
`
`AN EXECUTION TRACE (cid:9)AN EXECUTION TRACE (cid:9)
`
`5.4 (cid:9)5.4 (cid:9)
`
`5.5 DISCUSSIONS (cid:9)5.5 DISCUSSIONS (cid:9)
`
`
`
`6 CONCLUSION (cid:9)6 CONCLUSION (cid:9)
`
`
`
`APPENDICES (cid:9)APPENDICES (cid:9)
`
`
`APPENDIX A. MODIFIED BNF FOR PicsRULZ POLICY LANGUAGE (cid:9)APPENDIX A. MODIFIED BNF FOR PicsRULZ POLICY LANGUAGE (cid:9)
`
`APPENDIX B. APPENDIX B.
`
`MODIFIED BNF FOR PROFILES-0.92 POLICY LANGUAGE (cid:9)MODIFIED BNF FOR PROFILES-0.92 POLICY LANGUAGE (cid:9)
`
`APPENDIX C. APPENDIX C.
`
`MODIFIED BNF FOR THE RETURNED STATEMENT-LIST OF LABEL LOADER (cid:9)MODIFIED BNF FOR THE RETURNED STATEMENT-LIST OF LABEL LOADER (cid:9)
`
`
`
`REFERENCES (cid:9)REFERENCES (cid:9)
`
`
`
`9 9
`
`
`
`11 11
`
`
`11 11
`
`12 12
`
`15 15
`
`15 15
`
`16 16
`
`18 18
`
`19 19
`
`23 23
`
`23 23
`
`25 25
`
`
`
`28 28
`
`
`28 28
`
`29 29
`
`30 30
`
`31 31
`
`31 31
`
`32 32
`
`32 32
`
`33 33
`
`34 34
`
`
`
`35 35
`
`
`35 35
`
`36 36
`
`38 38
`
`43 43
`
`44 44
`
`44 44
`
`46 46
`
`47 47
`
`
`
`49 49
`
`
`49 49
`
`51 51
`
`51 51
`
`53 53
`
`56 56
`
`
`
`58 58
`
`
`
`59 59
`
`
`59 59
`
`60 60
`
`61 61
`
`
`
`62 62
`
`
`
`7 7
`
`
`
`BC00032399 BC00032399
`
`Blue Coat Systems - Exhibit 1014
`
`0004
`
`

`
`
`
`List of Figures and Tables List of Figures and Tables
`
`
`FIGURE 2 DEPENDENCY GRAPH OF TRUST MANAGEMENT INFRASTRUCTURE COMPONENTS (cid:9)FIGURE 2 DEPENDENCY GRAPH OF TRUST MANAGEMENT INFRASTRUCTURE COMPONENTS (cid:9)
`
`FIGURE 3 PICS IN THE TRUST MANAGEMENT INFRASTRUCTURE (cid:9)FIGURE 3 PICS IN THE TRUST MANAGEMENT INFRASTRUCTURE (cid:9)
`
`FIGURE 4 X.509 IN THE TRUST MANAGEMENT INFRASTRUCTURE (cid:9)FIGURE 4 X.509 IN THE TRUST MANAGEMENT INFRASTRUCTURE (cid:9)
`
`FIGURE 5 POLICYMAKER IN THE TRUST MANAGEMENT INFRASTRUCTURE (cid:9)FIGURE 5 POLICYMAKER IN THE TRUST MANAGEMENT INFRASTRUCTURE (cid:9)
`
`FIGURE 6 AUTHENTICODE IN THE TRUST MANAGEMENT INFRASTRUCTURE (cid:9)FIGURE 6 AUTHENTICODE IN THE TRUST MANAGEMENT INFRASTRUCTURE (cid:9)
`
`FIGURE 7 AUTHENTICODE USER PERMISSION INTERFACE (cid:9)FIGURE 7 AUTHENTICODE USER PERMISSION INTERFACE (cid:9)
`
`FIGURE 8 CONFIGURING A LIST OF TRUSTED ENTITIES IN AUTHENTICODE (cid:9)FIGURE 8 CONFIGURING A LIST OF TRUSTED ENTITIES IN AUTHENTICODE (cid:9)
`
`FIGURE 9 COOL GAME DOWNLOAD (cid:9)FIGURE 9 COOL GAME DOWNLOAD (cid:9)
`
`FIGURE 10 A SNAPSHOT OF THE BOSTON GLOBE WEB DOCUMENT (cid:9)FIGURE 10 A SNAPSHOT OF THE BOSTON GLOBE WEB DOCUMENT (cid:9)
`
`FIGURE 11 FLOW CHART FOR SIGNING AND VERIFYING A DIGITAL SIGNATURE (cid:9)FIGURE 11 FLOW CHART FOR SIGNING AND VERIFYING A DIGITAL SIGNATURE (cid:9)
`
`FIGURE 12 REFEREE EXTERNAL API (cid:9)FIGURE 12 REFEREE EXTERNAL API (cid:9)
`
`FIGURE 13 SAMPLE BLOCK DIAGRAM OF REFEREE INTERNAL STRUCTURE. (cid:9)FIGURE 13 SAMPLE BLOCK DIAGRAM OF REFEREE INTERNAL STRUCTURE. (cid:9)
`
`FIGURE 14 REQUIRED INTERFACE FOR EVERY REFEREE MODULE (cid:9)FIGURE 14 REQUIRED INTERFACE FOR EVERY REFEREE MODULE (cid:9)
`
`FIGURE 15 SAMPLE REFEREE IMPLEMENTATION (cid:9)FIGURE 15 SAMPLE REFEREE IMPLEMENTATION (cid:9)
`
`FIGURE 16 JIGSAW PROXY ARCHITECTURE (cid:9)FIGURE 16 JIGSAW PROXY ARCHITECTURE (cid:9)
`
`FIGURE 17 SAMPLE REFEREE IMPLEMENTATION (cid:9)FIGURE 17 SAMPLE REFEREE IMPLEMENTATION (cid:9)
`
`
`TABLE 1 A SAMPLE MODULE DATABASE (cid:9)TABLE 1 A SAMPLE MODULE DATABASE (cid:9)
`
`TABLE 2 TRUTH TABLE FOR THE AND OPERATOR (cid:9)TABLE 2 TRUTH TABLE FOR THE AND OPERATOR (cid:9)
`
`TABLE 3 TRUTH TABLE FOR THE OR OPERATOR (cid:9)TABLE 3 TRUTH TABLE FOR THE OR OPERATOR (cid:9)
`
`TABLE 4 TRUTH TABLE FOR THE NOT OPERATOR (cid:9)TABLE 4 TRUTH TABLE FOR THE NOT OPERATOR (cid:9)
`
`TABLE 5 TRUTH TABLE FOR THE TRUE-IF-UNKNOWN OPERATOR (cid:9)TABLE 5 TRUTH TABLE FOR THE TRUE-IF-UNKNOWN OPERATOR (cid:9)
`
`TABLE 6 TRUTH TABLE FOR THE FALSE-IF-UNKNOWN OPERATOR (cid:9)TABLE 6 TRUTH TABLE FOR THE FALSE-IF-UNKNOWN OPERATOR (cid:9)
`
`
`14 14
`
`15 15
`
`17 17
`
`18 18
`
`20 20
`
`21 21
`
`22 22
`
`23 23
`
`25 25
`
`26 26
`
`29 29
`
`30 30
`
`31 31
`
`34 34
`
`50 50
`
`54 54
`
`
`33 33
`
`41 41
`
`41 41
`
`42 42
`
`42 42
`
`42 42
`
`
`
`8 8
`
`
`
`BC00032400 BC00032400
`
`Blue Coat Systems - Exhibit 1014
`
`0005
`
`

`
`
`
`1 Introduction 1 Introduction
`
`
`Many activities of growing importance in the "information infrastructure," including Many activities of growing importance in the "information infrastructure," including
`
`electronic commerce and mobile programming, depend critically on precise and reliable electronic commerce and mobile programming, depend critically on precise and reliable
`
`ways to manage trust. Users will need to know how trustworthy information is before ways to manage trust. Users will need to know how trustworthy information is before
`
`they act on it. For example, they will need to know where the information comes from they act on it. For example, they will need to know where the information comes from
`
`(authentication), what kind of information it is (content), what it can do (capability), and (authentication), what kind of information it is (content), what it can do (capability), and
`
`whether it was altered during transmission (integrity). Without knowledge of what or whether it was altered during transmission (integrity). Without knowledge of what or
`
`whom to trust, users may treat a piece of potentially valuable information as yet another whom to trust, users may treat a piece of potentially valuable information as yet another
`
`stream of random bits. Worse yet, malicious parties may lure users into believing that a stream of random bits. Worse yet, malicious parties may lure users into believing that a
`
`false piece of information is trustworthy. false piece of information is trustworthy.
`
`
`Many existing mechanisms and protocols address specific aspects of trust in the Many existing mechanisms and protocols address specific aspects of trust in the
`
`information infrastructure, but none provides a complete solution. For example, digital information infrastructure, but none provides a complete solution. For example, digital
`
`signatures allow publishers to create and distribute non-refutable proofs of authorship of signatures allow publishers to create and distribute non-refutable proofs of authorship of
`
`documents. Public key infrastructures bind public keys to entities so that users can documents. Public key infrastructures bind public keys to entities so that users can
`
`establish trust chains from digital signatures to signers. Metadata formats allow creators establish trust chains from digital signatures to signers. Metadata formats allow creators
`
`of information resources or trusted third parties to make assertions about these resources. of information resources or trusted third parties to make assertions about these resources.
`
`Users can query and process the trusted assertions before deciding what to do with the Users can query and process the trusted assertions before deciding what to do with the
`
`information resources. Each of these mechanisms and protocols defines a subset of all information resources. Each of these mechanisms and protocols defines a subset of all
`
`potential trust problems and solves or partially solves this subset. potential trust problems and solves or partially solves this subset.
`
`
`The goal of my research is to design a complete trust management infrastructure, in The goal of my research is to design a complete trust management infrastructure, in
`
`which trust is specified, disseminated, and evaluated in parallel with the information which trust is specified, disseminated, and evaluated in parallel with the information
`
`infrastructure. I have identified four major components of a trust management infrastructure. I have identified four major components of a trust management
`
`infrastructure: the metadata format, the trust protocol, the trust policy language, and the infrastructure: the metadata format, the trust protocol, the trust policy language, and the
`
`execution environment, which are defined in Chapter two. Under this framework of execution environment, which are defined in Chapter two. Under this framework of
`
`study, I discovered that most existing approaches to trust deal with metadata formats and study, I discovered that most existing approaches to trust deal with metadata formats and
`
`trust protocols but lacked general trust policy languages for specifying user preferences trust protocols but lacked general trust policy languages for specifying user preferences
`
`and generic environments for evaluating them. This finding leads to my interest and and generic environments for evaluating them. This finding leads to my interest and
`
`involvement in REFEREE. involvement in REFEREE.
`
`
`REFEREE is a result of collaboration among researchers from AT&T and W3C, REFEREE is a result of collaboration among researchers from AT&T and W3C,
`
`including myself. It was designed to be a general-purpose execution environment for all including myself. It was designed to be a general-purpose execution environment for all
`
`Web applications requiring trust. REFEREE evaluates user policies in response to a host Web applications requiring trust. REFEREE evaluates user policies in response to a host
`
`application's request for actions. Policies are treated as programs in REFEREE. For a application's request for actions. Policies are treated as programs in REFEREE. For a
`
`given request, REFEREE invokes the appropriate user policy and interpreter module and given request, REFEREE invokes the appropriate user policy and interpreter module and
`
`returns to the host application an answer (with justification) to the question of whether or returns to the host application an answer (with justification) to the question of whether or
`
`not the request complies with the policy. not the request complies with the policy.
`
`
`The underlying architecture of REFEREE allows different trust policy languages and The underlying architecture of REFEREE allows different trust policy languages and
`
`trust protocols to co-exist in one execution environment. They are treated as add-on trust protocols to co-exist in one execution environment. They are treated as add-on
`
`software modules and can be installed or de-installed modularly. At the time of software modules and can be installed or de-installed modularly. At the time of
`
`development, we were unable to find a suitable policy language to demonstrate all the development, we were unable to find a suitable policy language to demonstrate all the
`
`features of REFEREE, and so we designed the Profiles-0.92 language. features of REFEREE, and so we designed the Profiles-0.92 language.
`
`
`In order to develop a deeper understanding of REFEREE and to demonstrate its In order to develop a deeper understanding of REFEREE and to demonstrate its
`
`feasibility, power, and efficiency, I built a reference implementation of the REFEREE feasibility, power, and efficiency, I built a reference implementation of the REFEREE
`
`
`
`9 9
`
`
`
`BC00032401 BC00032401
`
`Blue Coat Systems - Exhibit 1014
`
`0006
`
`

`
`
`
`10 Chapter One 10 Chapter One
`
`
`trust management system. The implementation includes a set of the core REFEREE data trust management system. The implementation includes a set of the core REFEREE data
`
`types and methods, a PICS protocol, and a Profiles-0.92 policy interpreter to evaluate types and methods, a PICS protocol, and a Profiles-0.92 policy interpreter to evaluate
`
`polices based on the PICS metadata format. In addition, I implemented another policy polices based on the PICS metadata format. In addition, I implemented another policy
`
`language called PicsRULZ and integrated it into the reference implementation, in order to language called PicsRULZ and integrated it into the reference implementation, in order to
`
`demonstrate REFEREE's ability to handle multiple policy languages in particular and demonstrate REFEREE's ability to handle multiple policy languages in particular and
`
`multiple software modules generally. multiple software modules generally.
`
`This thesis is about the work I have done on trust management during the last year. This thesis is about the work I have done on trust management during the last year.
`
`Chapter two introduces readers to the term trust management infrastructure and explains Chapter two introduces readers to the term trust management infrastructure and explains
`
`how existing systems and protocols map into my framework of infrastructure. Chapter how existing systems and protocols map into my framework of infrastructure. Chapter
`
`two also identifies trust management problems that are common to several current Web two also identifies trust management problems that are common to several current Web
`
`applications. applications.
`
`Chapter three is devoted to the REFEREE execution environment. It explains in detail its Chapter three is devoted to the REFEREE execution environment. It explains in detail its
`
`requirements, architectural design, primitive data types, and standard methods of requirements, architectural design, primitive data types, and standard methods of
`
`bootstrapping and querying. bootstrapping and querying.
`
`Chapter four describes two different policy languages, PicsRULZ and Profiles-0.92. Chapter four describes two different policy languages, PicsRULZ and Profiles-0.92.
`
`They represent two different approaches to writing user policies. The chapter also They represent two different approaches to writing user policies. The chapter also
`
`provides four sample policies of varying degrees of complexity and typicality. These provides four sample policies of varying degrees of complexity and typicality. These
`
`policies are expressed in both PicsRULZ and Profiles-0.92, so that I can compare and policies are expressed in both PicsRULZ and Profiles-0.92, so that I can compare and
`
`contrast the strengths and weaknesses of the two languages. contrast the strengths and weaknesses of the two languages.
`
`Chapter five describes my implementation work on REFEREE and analyzes the system Chapter five describes my implementation work on REFEREE and analyzes the system
`
`from the implementation perspective. I chose Jigsaw proxy as the host application and from the implementation perspective. I chose Jigsaw proxy as the host application and
`
`Java Virtual Machine as the underlying REFEREE execution environment. The work Java Virtual Machine as the underlying REFEREE execution environment. The work
`
`sheds light on how to use REFEREE in a real-world application. sheds light on how to use REFEREE in a real-world application.
`
`Chapter six concludes my thesis. Chapter six concludes my thesis.
`
`
`
`BC00032402 BC00032402
`
`Blue Coat Systems - Exhibit 1014
`
`0007
`
`

`
`
`
`2 Trust Management 2 Trust Management
`
`
`The term trust management has received a great deal of attention in the network security The term trust management has received a great deal of attention in the network security
`
`community since it was first introduced in the paper "Decentralized Trust Management" community since it was first introduced in the paper "Decentralized Trust Management"
`
`by Blaze, Feigenbaum, and Lacy [BFL96]. Many existing systems have since been by Blaze, Feigenbaum, and Lacy [BFL96]. Many existing systems have since been
`
`identified as trust management systems in the sense of [BFL96], including PolicyMaker identified as trust management systems in the sense of [BFL96], including PolicyMaker
`
`[BFL96], SDSI [RL96], SPKI [EFRT97], and X.509 [CCITT88a, CCITT88b]. People [BFL96], SDSI [RL96], SPKI [EFRT97], and X.509 [CCITT88a, CCITT88b]. People
`
`have compared and contrasted these systems and their capabilities and limitations. have compared and contrasted these systems and their capabilities and limitations.
`
`
`This chapter reviews the concept of "trust management" as the starting point for my This chapter reviews the concept of "trust management" as the starting point for my
`
`thesis work. Later discussions of REFEREE in Chapter three and PicsRULZ and thesis work. Later discussions of REFEREE in Chapter three and PicsRULZ and
`
`Profiles-0.92 in Chapter four address specific components of "trust management". Profiles-0.92 in Chapter four address specific components of "trust management".
`
`
`Section one introduces the trust management problem in the [BFL96]. Section two Section one introduces the trust management problem in the [BFL96]. Section two
`
`presents my alternative notion of trust management infrastructure. Section three presents my alternative notion of trust management infrastructure. Section three
`
`analyzes several well-known systems in the "trust management infrastructure" framework analyzes several well-known systems in the "trust management infrastructure" framework
`
`and highlights their strengths and weaknesses. Section four sets the context of my thesis and highlights their strengths and weaknesses. Section four sets the context of my thesis
`
`work by identifying several common Web applications that have similar trust work by identifying several common Web applications that have similar trust
`
`management needs. management needs.
`
`
`
`2.1 (cid:9) What is Trust Management 2.1 (cid:9) What is Trust Management
`
`
`As formulated by Blaze, Feigenbaum, and Lacy, trust management addresses the question As formulated by Blaze, Feigenbaum, and Lacy, trust management addresses the question
`
`"is this request, supported by these credentials, in compliance with this user policy?" The "is this request, supported by these credentials, in compliance with this user policy?" The
`
`[BFL96] paper identified three components of trust management: [BFL96] paper identified three components of trust management:
`
`• security policies • security policies
`
`• security credentials • security credentials
`
`• •
`
`trust relationships trust relationships
`
`Security policies are local policies that an application trusts unconditionally. Security Security policies are local policies that an application trusts unconditionally. Security
`
`credentials are assertions about objects by trusted third parties. Trust relationships are credentials are assertions about objects by trusted third parties. Trust relationships are
`
`special cases of security policies. An example in the paper illustrated the use and the special cases of security policies. An example in the paper illustrated the use and the
`
`interactions among the three components: interactions among the three components:
`
`An electronic banking system must enable a bank to state that at An electronic banking system must enable a bank to state that at
`
`least k bank officers are needed to approve loans of $1,000,000 or least k bank officers are needed to approve loans of $1,000,000 or
`
`less (a policy), it must enable a bank employee to prove that he can less (a policy), it must enable a bank employee to prove that he can
`
`be counted as 1 out of k approvers (a credential), and it must be counted as 1 out of k approvers (a credential), and it must
`
`enable the bank to specify who may issue such credentials (a trust enable the bank to specify who may issue such credentials (a trust
`
`relationship). relationship).
`
`
`The paper referred to the study of the three components and their interactions as the trust The paper referred to the study of the three components and their interactions as the trust
`
`management problem. The authors believe that the trust management problem is a management problem. The authors believe that the trust management problem is a
`
`distinct and an important aspect of security in network services and that such problems distinct and an important aspect of security in network services and that such problems
`
`can be solved using a general mechanism that is independent of any particular application can be solved using a general mechanism that is independent of any particular application
`
`or service. They propose is a trust management layer that applications and services can or service. They propose is a trust management layer that applications and services can
`
`build on top of. build on top of.
`
`
`PolicyMaker, described in [BFL96], is a trust management system designed to meet the PolicyMaker, described in [BFL96], is a trust management system designed to meet the
`
`needs of this layer. It is a three-part solution: a credential format to represent needs of this layer. It is a three-part solution: a credential format to represent
`
`
`
`11 11
`
`
`
`BC00032403 BC00032403
`
`Blue Coat Systems - Exhibit 1014
`
`0008
`
`

`
`
`
`12 Chapter Two 12 Chapter Two
`
`
`authorization assertions, a security policy language to express user preferences, and an authorization assertions, a security policy language to express user preferences, and an
`
`execution environment to evaluate certificates and policies. PolicyMaker broke new execution environment to evaluate certificates and policies. PolicyMaker broke new
`
`ground by expressing credentials and policies as programs. The execution environment ground by expressing credentials and policies as programs. The execution environment
`
`acts like a database query engine: The host application sends to the execution acts like a database query engine: The host application sends to the execution
`
`environment a request for action and a user policy, and the environment returns an environment a request for action and a user policy, and the environment returns an