Assuring security and privacy for digital library transactions on the web: Client and server security policies

Often, an information source on the Web would like to provide different classes of service to different clients. In the autonomous, highly distributed world of the Web? the traditional approach of using authentication to differentiate between, classes of clients a's no longer sufficient, as knowledge of a client's identity will often not suffice to determine whether a client is authorized to use a service. In [CJW96] toe proposed the use of digital credentials to help solve this problem; but their use will in turn introduce a bevy of new problems associated with credential management. In this paper toe propose the use of server security policies and client credential submission policies to did in tile management of a client's digital credentials. We propose a structure for such policies, and briefly describe an implementation of personal security assistants and server security assistants that embodies our proposed approach.