Introducing Guests

Instinctively, the guest printing is another example of access control over multi- ple domains. Hence, as learned from the domain-oriented approach, it naively appears Darren’s local domain, the university of Dolls, ought to be involved to make the final decision. However, guests are not strangers. Instead, they are very often invited by some authorised users. In other words, guests are usually friendly players although they come from strange domains. The major task here is to make sure that Darren has the appropriate rights to do the printing job only.

Considering the specific requirements for granting the guest printing access listed above, the guest’s (i.e. Darren) own local domain university Dolls is ac- tually not responsible for his/her access. Ellis is responsible to introduce the guest to the resources, i.e. the printer P . Hence, Ellis makes the final decision in the guest printing example. In fact, it does not matter that Psychology school at the University of Dolls is saying “no” to the server of the computer science school at East University, perhaps because Darren just retired. The printer does not care as long as Ellis is happy to give Darren the permission to access the printer temporarily at this moment. Hence, knowing Darren’s domain information does not help the printer to grant the guest access request. In other words, the printer does not concern itself with the domain Darren is from at all, “I do not care where the guest is from as long as he/she is intro- duced by Ellis.”. Since the printer is managed by the server of the computer science school as well, thus, essentially, this guest printing scenario is more a case of access control for a single domain 6

. Thus, I argue that conventional

6

access control methods can be used to address most guest access scenarios in pervasive environments. These methods have been described in section 2.2, and I do not intend to discuss the implementation in great detail here because this research mainly focuses upon the multiple domain context.

As a visiting professor, the guest Darren is explicitly trusted by Ellis. Con- sequently, Ellis is willing to let Darren access the printer P on a temporary basis as long as she knows what he is doing. This may be controversial in conventional environments. As described in Chapter 4, however, a pervasive environment is human-centred and more importantly the human context is the most significant consideration for pervasive environments. As human users, we have clear intention about what we are trying to accomplish or to avoid. A pervasive system should track human intent and the correct choice ought to depend upon this human context [108].

According to the school’s security policy, Ellis can delegate access rights (“permission to print on the printer P ”) to anyone she trusts. Thus, she delegates to the guest Darren the right to use the printer P . Ellis’s personal device DRDE can send a signed delegation (e.g. the delegation certificates

[10]) to Darren’s PDA DRDD. The two channel authentication mechanism

can be implemented here to guarantee the signed delegation goes to Darren’s device rather than that of anyone else in the proximity. Then, DRDD sends

his access request and the delegation to the printer P . The service owner, e.g. the server of the Computer Science school, will check the school’s security policy, i.e. if Ellis’s access right on P is still validated, and if Ellis is allowed to delegate this rights to the guests. If the delegation conforms to the policies, the server will send the “request to verify” (RTV) message to Ellis’s DRDE

instead of granting Darren’s access immediately,

“Are you aware that you are delegating permission to print on the printer P to a guest who is next to the printer P ?”

Note that the notification should include the name given to the guest by Ellis at the time of delegation.

The printer P allows Darren to print only after Ellis responds with the pos- itive reply. Darren’s access is on a temporary basis because this re-delegation is managed by Ellis. Hence, Ellis can revoke this re-delegation anytime by replying a negative message to the RTV message. Meanwhile, Darren cannot access services other than the printer P . When he needs to access other ser- vices, e.g. the digital projector at the seminar room, Darren must ask Ellis for another delegation. This scenario allows Darren, a guest, to access cer- tain services in other domains without creating a pre-defined account, role, or identity for him.

6.6

Conclusions

This chapter provides a critical discussion for access control in LoT. It reflects the domain-based access control method proposed previously, and examines some issues relating to access control in pervasive environment in depth (both from multiple domain oriented and single domain oriented perspective). The crucial point is that this chapter gives the details of mechanisms to meet some of the requirements identified in earlier chapters.

The next chapter concludes this dissertation by providing a summary of contributions and some directions for future research.

Chapter 7

Conclusions and Future Work

Future pervasive computing applications will be of vast scale, and often in- tended to deal with complexly collaborative interactions from many human users or different organisations. A powerful design technique is to examine them from the domain perspective. Thus, trust can be reduced to a local level. This dissertation reviewed some previous work in a number of related areas, and examined and identified research issues that were yet to be addressed. A novel security framework for pervasive environments, LoT, has been devel- oped. This chapter concludes this dissertation. It begins with the highlights of the main contributions of this work. Then, some future research directions are suggested. Finally, it provides a closing remark of this dissertation.