Zero-knowledge trust negotiation

Electronic business or on-line cooperation transactions happen regularly over the internet. Such a transaction usually involves a service provider who provides a certain service (i.e., perform an on-line purchase) and a service requester who requests the service. In order to decide whether a service requester can access a service, a distributed access control system can be used. Traditional identity-based access control systems usually require pre-register, which is too rigid to adapt to the rapid developing on-line cooperation. Trust-based access control provides open authentication and access control. The flexibility that it introduces could boost the on-line cooperation significantly. However, it is vulnerable to attacks that lead to leakage of sensitive information. Furthermore, certain credentials (such as, credit card number) are too sensitive to release for some people even through proper release policies. This paper introduces the Zero-knowledge protocol for credential verification, and presents a trust-based access control framework that incorporates this protocol. This system keeps the highly sensitive credentials secret; while at the same time proceed with the trust negotiation.