Conclusions

  We have described a security infrastructure, QCM, that is appropriate for the application programmer. Our main point is that since cryptography and message exchange are complicated and error-prone, they should be managed automatically by the infrastructure rather than the programmer. Hence, the basic primitive of QCM is authenticated data distribution, which is implemented by the automatic management of queries and certificates.

QCM has a formal semantics, and this has been invaluable in pointing out areas which could lead to security failures in QCM programs. In particular, it led us to develop an automatic analysis of certificate contents to prevent semantic inconsistencies.

We are working on the implementation of a QCM interpreter in Java, using Java RMI to model QCM messages as remote method invokations and JDBC to mediate between QCM and relational databases. Progress on this effort will be reported in a future paper.

We would like to acknowledge encouragement and assistance from Joan Feigenbaum, whose work on Trust Management inspired us to pursue this investigation. We received valuable assistance on the database aspects of the work from Rona Machlin, Arnaud Sahuguet, Dan Suciu, and Val Tannen.