The TAS3 architecture provides the high level design of an infrastructure intended to provide the next generation of trust & security eco-systems that can (1) meet the requirements of complex and highly versatile business processes, (2) enable the dynamic user-centric management of policies and (3) ensure end-to-end secure transmission of personal information and user-controlled attributes between heterogeneous, context dependent and continuously changing systems.
The trusted architecture is built on three foundations: technical, policy and legal.
The technical architecture, introduced and described at a high level in this document, presents the different services that are needed in order to operate a trust network (or eco-system). Other work package deliverables provide more detailed designs of some of these services.
The technical architecture proposes a number of Policy Decision Points (PDPs) that are services capable of evaluating policies of various kinds and returning policy decisions to their callers - the Policy Enforcement Points (PEPs). The correct enforcement of user's policies engenders trust in a network. Many policies in a TAS3 trust network will be sticky policies, meaning that the policy and the data to which it pertains, are cryptographically bound together, thereby ensuring that the policy is always there to be correctly enforced. Various types of policy and PDP are envisaged, trust PDPs, privacy PDPs, authorisation PDPs, delegation PDPs etc. Details of these PDPs and the policies they support will be provided in more detail in other workpackage deliverables e.g. from WP4, WP5, and WP7.
The legal framework and set of model contracts will be further developed in WP6. They are being designed to contractually bind all the service providers into operating in a trustworthy manner, for example, so as to honour all the choices of users concerning the handling of their personal information. As many trust enabling factors as possible will be built into the technical infrastructure described in this deliverable, thereby automating the controls and freeing organisations from the worry and overhead of ensuring that they do the right thing. When it is not possible to engender trust through technical controls alone, then legal controls through our model contracts will be used as the controls of last resort.
This architecture document describes a service oriented trust network. All the conceptual entities that are needed to form a trust and privacy preserving secure network operate as service providers and service consumers, and they collaborate together to provide the security services to end users. These trust, privacy and security services are application independent and are designed to ensure that whatever application the user is using, the application and its data are as secure, trustworthy and privacy preserving as is possible, given the risk assessment and cost constraints of the trust network. (We accept that absolute security is both technically impossible and financially unaffordable.)
The trust and privacy enhancing services offered by TAS3 include:
authorization services, whose purpose is to answer the question "is this subject authorised to access this resource in this way"
authentication services, whose purpose is to identify a subject and validate that the communicating party is indeed the identified subject
privacy preserving services whose purpose is to provide pseudonymous identities for users and minimise the cross linking of identities
trust negotiation services whose purpose is to determine if the remote communicating party is trustworthy enough to start a dialogue
secure business process management services whose purpose is to ensure that business processes operate securely, and can be dynamically modified securely
delegation services, whose purpose is to delegate credentials from a delegator to a delegate
discovery services, whose purpose is to inform clients where particular services can be found
trusted registries, whose purpose is to keep a directory of all services in the trust network who are known to provide services conforming to the TAS3 specifications
attribute authorities whose purpose is to assert that particular users have particular attributes
identity management services, which are a combination of an authentication service and an attribute authority
secure repository services, whose purpose is to store users' personal data securely and give users complete control over who should access their data and how they should handle it once they are given access to it
trust and reputation services, whose purpose is to answer the question "how trustworthy is this actor (service provider or end user)"
secure audit services whose purpose is to keep a tamper resistant record of transactions within the trust network so that legally admissible evidence can be obtained in the case of a dispute.
on-line compliance testing services whose purpose is to ensure that all the services in a trust network comply with their published specifications and policies.
All of these services are usually needed regardless of the applications that might run in a TAS3 trust network. However, small centralized trust networks may be able to dispense with one or more of these trust and privacy enhancing services, e.g. discovery or delegation services, depending upon their requirements.
The TAS3 architecture is designed to be standards and protocol agnostic so that any protocol capable of implementing the message flows and service requirements of the conceptual service providers can potentially be used by any application. However, in order to ensure interworking between the prototypes being developed in this project, we have had to choose a subset of current state of the art protocols. Annex A maps (some of) our services onto the latest state of the art application independent protocols as far as is currently possible. Further standardization effort will be needed in order to fully complete this mapping and this will be documented in a future version of this architecture (or in other TAS3 deliverables).