Can we take this off-line? How to deal with credentials in federations without global connectivity

In mobile and pervasive computing environments, not all devices have universal capabilities. To fulfill a certain task, it is often necessary to federate devices with specific resources. Because some devices are mobile, devices from dierent trust domains may have to interact with each other, and potentially sensitive data may flow from one domain into another. This interaction obviously requires access control and authorization. Achieving a secure federation of mobile devices calls for a framework and mechanisms that allow the specification and enforcement of security policies across dierent trust domains, even when some or all of the devices are disconnected and cannot go on-line, for example to perform an on-line verification of credentials. The WiTness framework was developed in order to address authorization in device federations, particularly providing mechanisms to tackle specific o-line scenarios involving devices without global connectivity. Modes for interaction in federations of dierent administrative trust domains are also defined within the Web Services Security specifications suite. These modes are generally described assuming a global connectivity of the entities involved. This paper shows how the experiences gained from theWiTness framework can be applied to Web Services, and investigates how the Web Services Security framework can be used to handle the o-line scenariosWiTness is optimized for.