Pp. 229–240 of the Proceedings

Abstract

The circulation of digital tickets comprises three types of principal transactions: issuance, transfer, and redemption. Depending on the application, various conditions must be satisfied to execute these transactions, e.g., only qualified shops can issue the tickets and only a certain agent can transfer the tickets. This paper introduces circulation control tickets, which are required to issue, transfer, redeem a ticket, and proposes specifying the required control ticket types in the ticket to be circulated itself using the Generalized Ticket Definition Language. The ticket circulating system issues, transfers, or redeems a ticket only if the control tickets are owned by the participants of the transaction. The circulation control tickets themselves can be any type of digital ticket, e.g., a driver's license or a membership certificate to certain group, and these tickets can be recursively circulated in the ticket circulating system. This scheme provides the ticket circulating system with both the flexibility needed to match the business scheme of interest and application independence.

This paper also proposes a ticket-type-based trust management scheme that enables users to mechanically verify the trust of a ticket by the presented ticket type verification procedure.

1. Introduction

We are developing a system that can circulate all tickets with various rights in a common manner. This system enables service providers to reduce the development costs of the ticketing software/hardware and also enables users to view and manage various tickets using a common "ticket wallet", which greatly improves usability.

The trust management scheme [1][3][6][7] developed for digital certificates and the double-spending protection scheme [2][14] developed for digital cash can also be applied to digital tickets as base technologies, since digital tickets have aspects of both digital certificates and digital cash. These technologies, however, do not provide solutions for the specific requirements of digital tickets, i.e., diversity in circulating requirements and business schemes.

To circulate various types of digital tickets using a common ticket processing system, we proposed a general-purpose digital ticket framework, in which a ticket is circulated by interpreting the ticket properties of anonymity, transferability, and divisibility, specified in the ticket itself using the Generalized Ticket Definition Language [9]. No circulation control scheme or trust management scheme for digital tickets have, however, been presented up to now. These issues are especially important since the requirements depend on the ticket's business scheme, and this makes generalization difficult. This paper focuses on these issues and presents a new approach that we implemented in a prototype system.

The following were taken as our design goals:

No centralized organization. Designs that rely on deference to a global, centralized organization should be avoided since a single failure in the organization may impair the entire system. No centralized broker who sells all types of tickets, or centralized authority that authenticates all issuers or other participants, should be assumed.

Business scheme flexibility. Unlike digital cash, various requirements must be satisfied when a ticket is circulated depending on the application. Examples include "only qualified agents can transfer the tickets", or "only a certain member of a group can redeem the tickets". To satisfy these business requirements, flexible control of ticket circulation is required.

Management autonomy. Responsibility for the ticket and for settlement when a task or service is not satisfactorily rendered should be application dependent. These management policies should be defined freely by the ticket issuer. For example, a ticket issuer should ask a certificate authority (CA) to endorse the contents of their tickets only if the issuer desires it.

 
Trust manageability. Diverse types of digital tickets will be circulated in the future. This makes it difficult for users to judge whether a ticket can be trusted or not. To support such judgement, a trust management system that mechanically verifies the trust of a ticket is thus required.

Simplicity. Simplicity is important in understanding the system, which is necessary for people to trust the system. It also minimizes the probability of a security hole resulting from an implementation error.
 

Prevention of duplicated redemption is also an important issue of the digital-ticket circulation system. This exceeds the scope of this paper since several double-spending protection schemes invented for digital cash can be applied to digital tickets. The digital ticket storage system, i.e., how digital tickets are stored in smart cards, PCs, or network, is also a major issue when implementing a digital-ticket circulation system. This point is also beyond the scope of this paper. We will address this issue in other papers.

This paper also proposes a new trust management scheme based on ticket type; the scheme defines the format and restrictions placed on ticket properties. In this scheme, the trust of a ticket can be verified mechanically by the proposed ticket type verification procedure, which checks whether the ticket meets the corresponding ticket type definition managed by the user.

The following section presents a ticket circulation model. The third section describes the circulation control scheme in detail. We then discuss the trust management scheme that is the basis of security in Section 4. Section 5 overviews an implementation of the ticket circulation system. Finally, we draw a comparison to related work in Section 6.

2. Ticket Circulation Model

2.1 Participants

The issuer and service provider can be the same physical organization. Additionally, a shop, broker, or other participants exist in real paper ticket circulation but they are not included in the settlement because they are treated as users who buy tickets from issuers (or users) and transfer the tickets to other users with payment.

2.2 Digital ticket

2.3 Transaction

Issuance is an action in which issuer I gives ownership of ticket T to user U. In our model, we assume that this transaction is implemented by issuer I creating ticket T = Signed_I (I, P, U) and sending it to user U.

Transfer is an action in which user U0 transfers ownership of ticket T to user U1. In our model, we assume that this transaction is implemented by attaching a transfer certificate to the ticket to be transferred, i.e., user U0 creates transfer certificate T_t1 = Signed_U0 (U0, transfer(T), U1) and sends it to user U1 with T, where transfer(T) is a promise that T was transferred.

Redemption is an action in which user U redeems the rights represented by ticket T to service provider S. In our model, we assume that this transaction is implemented by attaching a redeem certificate to the ticket, i.e., user U creates redeem certificate T_r = Signed_U (U, redeem(T), S) and sends it to service provider S with T, where redeem(T) is a promise that T was redeemed. The situation in which ownership of the ticket is retained when the ticket is redeemed, e.g., redemption of licenses or passports, is termed presentation. The situation in which ownership of the ticket is voided or the number of times it is valid is reduced when the ticket is redeemed, e.g., redemption of event tickets or telephone cards is termed consumption.

Generally speaking, money, services, or products are circulated against the flow of the tickets. There are issues on how the atomicity between these two delivery flows is guaranteed [6]. This paper, however, focuses only on the ticket flow and makes payment methods independent because this approach enables easy integration with legacy application systems that use existing payment systems. Of course, integration with payment methods is an important issue to be studied.

3. Circulation Control Scheme

3.1 Requirements

1. Only qualified shops can issue tickets
2. Tickets may be circulated only between the registered members of a group
3. Only certain agents are allowed to transfer tickets, the general public is prohibited from transferring tickets to anybody else, e.g., plane tickets and event tickets
4. Only qualified people can redeem tickets, e.g., student discount tickets
5. Only a certain shop or agent is allowed to examine (punch) the ticket. Most tickets have such a condition

3.2 Onion ticket accumulation model

In this model, the identity of a participant forms the onion core, and the rights (tickets) given to the identity form the layers beyond the core. A transaction is conducted between two onions (participants). The model illustrates that an outer layer (tickets) cannot be peeled or moved to another onion unless inner layers (tickets) exist.

For example, a plane ticket can be modeled using circulation conditions as shown in Table 1. A plane ticket can be issued and punched by the airlines that have an airline certificate issued by the International Air Transport Association (IATA). A plane ticket can be transferred by the travel agencies who have a travel agent certificate issued by a government, while the public is prohibited from transferring the tickets to anybody else.

The next issue is how and where these circulation requirements are defined in the system. We describe this issue in the following sections.

3.3 Ticket type definition

We found that there are two classes of information in a ticket. One is common to each type of ticket. The other is different for each ticket instance. For example, the circulation requirements presented in Section 3.2 are an instance of the former class of information and do not have to be defined for each ticket. We, therefore, introduce two types of definitions: a ticket type definition and ticket definition. The common information within tickets of the same ticket type is defined in the ticket type definition. The specific information on the ticket instance is defined in the ticket definition. To bind a ticket definition to its ticket type definition securely, we propose setting the hash value of the ticket type definition in the ticket definition, which is digitally signed by the ticket issuer. This scheme reduces communication cost and improves efficiency of ticket circulation since the ticket type definition can be pre-distributed to the participants who may use the tickets of a particular ticket type. Details of the distribution of the ticket type definitions are described in the following section.

A ticket type definition is the following tuple:

• TypeInfo: The ticket type definition information. It includes the contact address of the person defining the ticket type, the name of the ticket type, version number, or other information.
• TypeValidity: The validity condition of the ticket type. The valid period, start date and end date, are specified.
• IssueConditions: Pre-conditions of the issue transaction. This is a tuple of SenderConditions and ReceiverConditions described below.
• TransferConditions: Pre-conditions of the transfer requirement. This is a tuple of SenderConditions and ReceiverConditions described below.
• RedeemConditions: Pre-conditions of the redeem transaction. This is a tuple of SenderConditions and ReceiverConditions described below.
• TicketSchema: Syntax definition for the Promise property of the tickets of this ticket type. This defines sub-properties of the Promise property and the necessity value, i.e., mandatory or optional, and default value if any. There are several specifications for this purpose. XML DCD [16] or SOX [19] can be used [12]. Details of the definition method are thus outside the scope of this paper.
• SenderConditions and ReceiverConditions are one of the following:
(1) TypeID₁ ... TypeID_n: A list of the ticket type identifiers that must be held by the sender or receiver, where TypeID_X = hash(the ticket type definition X).
(2) Identity_X: The identity of the sender or receiver X. It can be implemented using a public key or other names with the scope rule but this paper assumes Identity_X = hash (PK_X) for simplicity.
(3) Not specified: This means no restrictions apply to the sender or receiver.

In the plane ticket example shown in Section 3.2, an airline certificate is specified as the sender condition within the issue conditions. This is an example of condition (1) above. This condition can be defined by specifying the ticket type identifier of the airline certificate in the type definition of the plane ticket. This scheme enables new airlines to issue plane tickets after getting their airline certificates from IATA. It is not necessary to redistribute ticket type definition to users in this case. As an example of condition (2) above, we assume a plane ticket, the type of which is defined by each airline and issued without IATA involvement. In this case, the sender conditions within the issue conditions can be defined by specifying the airline's identity in the type definition of the plane ticket. This scheme does not require new airlines to get their airline certificate from IATA but they must distribute the ticket type definition to the users.

There are several ways in which sender and receiver conditions can be specified other than (1) and (2) above; disjunction, conjunction, and threshold [3][8] of the ticket types or ticket instances, restrictions on property values of a ticket, etc. can be used. Our analysis of paper tickets shows that implementing conditions (1) and (2) achieves sufficient flexibility for describing the conditions of most tickets.

3.4 Ticket definition

A ticket definition is the following tuple:

• TypeID: The ticket type identifier.
• TicketID: The ticket instance identifier. It must be unique for each ticket with the same TypeID.
• TicketValidity: The validity conditions of the ticket. At least the valid period, start date and end date, are specified.
• IssuerID: The ticket issuer's identity.
• Promise: Various properties are specified depending on the application.
• OwnerID: The ticket owner's identity.
• Signature: Issuer's digital signature on the above.

4. Trust Management Scheme

4.1 Requirements

Trusted broker: A ticket bought directly from a trusted broker can be trusted even if the ticket issuer cannot be trusted. In this scheme, however, several problems exist: no offline capability, centralized organization, and additional payments to the broker.

Authorization by a CA: If a CA who authorizes all issuers for all types of tickets exists, users can ask the CA if the ticket can be trusted. This scheme, unfortunately, destroys management autonomy. If a different CA exists for each specific type of ticket, management autonomy might be achieved but it is difficult for users to find a CA who can judge the ticket. No practical way of managing the binding between a specific type of ticket and its CA has be proposed yet.

4.2 Ticket type based trust management

We assume that a user establishes a binding between conceptual rights recognized in the real world and a ticket type identifier by some means. We use this binding as the basis of trust desired by the user. Examples of binding are as follows:
 

This scheme similar to PGP [15] in which a set of bindings between user IDs and public keys (or fingerprints) is the basis of trust.

There are several ways to distribute the ticket type identifiers. For example:

• CD-ROMs sold in bookshops.
• Physical ticketing machines managed by service providers.
• A trusted web site with a secure communication channel.

Assuming that a user has the ticket type book described above, the user can use the following type verification procedure to verify if the issuer has the right to issue the ticket:

Ticket type verification procedure: Let T be a ticket definition and TT be a ticket type definition. We say that T meets TT if and only if the following procedure is completed.

1. Verify the digital signature of T.
2. Verify that the ticket type identifier TypeID in T and hash(TT) are the same.
3. Verify that the ticket type identifier TypeID is in the ticket type book.
4. Retrieve TT from the ticket type book.
5. If identity Identity_X (onion core) is specified as the issuer conditions in TT, verify that Identity_X and the issuer identity IssuerID in T are the same.
6. If ticket type identifiers TypeID₁...TypeID_n (onion layers) are specified as the issuer conditions in TT, verify that the issuer owns all tickets T₁...T_n corresponding to TypeID₁...TypeID_n (getting T₁...T_n from the issuer directly or from the circulation history attached to the transferred ticket, and verify that OwnerIDs in T₁...T_n and IssuerID in T are the same), and verify that for each ticket definition T₁...T_n meet the corresponding type definitions TT₁...TT_n by applying this procedure recursively.

This trust management scheme enables users to detect a forged ticket regardless of the circulation route, and can be performed mechanically by the proposed type verification procedure. This scheme also provides easy management of the basis of trust since the user need manage only one type definition for each type of ticket, even if complicated issuer conditions are set.

5. Overview of Implementation

5.1 Generalized ticket definition language

The standardization of XML signed documents [5] is now being actively discussed in W3C and IETF. Our current specification does not comply with these specifications but integration with any future standard is an important issue to be studied.

5.2 Protocols

We have implemented a prototype of the above protocols using Java and confirmed its feasibility. We also implemented three common components on top of the protocol handling system: ticketing server, ticket examination server, and ticket wallet.

5.3 Application example

Based on the onion ticket accumulation model, several requirements can be given in this example such as; the customer certificate requires users to have a wallet certificate and award ticket transfer requires users to have the customer certificate. Such flexible circulation control can be achieved without any application-specific software in the ticket wallet.

6. Related Work

SPKI [8] and PGPticket [11] present an authorization control system that provides a mechanism for deriving authorization decisions from a collection of certificates. They provide the ability to delegate fine-grained authorization from one person to another. These systems, however, do not introduce certificate transferability, in which the transferor loses the rights when the certificate is transferred. As a result, it is difficult to realize event tickets or other tickets that can be consumed only once, although we note that it can be applied to license or pass-type tickets.

The Eternal Resource Locator [1] presents a scheme to establish trust without relying on any PKI. This scheme uses the hash value of the root hypertext document as the basis of trust. Our scheme has similarities to this in that the hash value of the type definition is used as the basis of trust.

NetBill [6] presents an authorization scheme, in which a customer's authority is represented by an identity ticket, which is a pseudonym of the customer, and one or more credentials, each of which represents proof of group membership. This model has some similarities to our onion ticket accumulation model. The NetBill system introduced this model mainly for flexible price control, whereas our model is used to increase the flexibility of circulation control.

Capability cards [13] represent a digital media that can circulate various types of digital objects including digital rights using a card metaphor. However, they do not provide flexible circulation control or trust management, both of which are offered by the schemes proposed in this paper.

7. Conclusion

Acknowledgement

References

1. R. J. Anderson and V. Matyas Jr., "The Eternal Resource Locator: An Alternative Means of Establishing Trust on the World Wide Web", 3rd USENIX Workshop on Electronic Commerce, August 1998, pp. 141-153.
2. N. Asokan, P. A. Janson, Michael Steiner, and M. Waidner, "The State of the Art in Electronic Payment Systems", IEEE Computer, September 1997, pp. 28-35.
3. M. Blaze, J. Feigenbaum, and M. Strauss, "Compliance Checking in the PolicyMaker Trust-Management System", In Proceedings of Financial Cryptography '98, LNCS 1465, pp. 254-274.
4. M. Blaze, J. Feigenbaum, A. D. Keromytis, and J. Ioannidis, "The KeyNote Trust-Management System", IETF Internet Draft, August 1998.
5. R. D. Brown, "Digital Signatures for XML" IETF Internet Draft, January 1999.
6. B. Cox, D. Tyger, and M. Sirbu, "NetBill Security and Transaction Protocol", 1st USENIX Workshop on Electronic Commerce, July 1995.
7. C. M. Ellison, "Establishing Identity Without Certification Authorities", 6th USENIX Security Symposium, July 1996.
8. C. M. Ellison, B. Frantz, B. Lampson, R. Rivest, B. M. Thomas, and T. Ylonen, "SPKI Certificate Theory", IETF Internet Draft, November 1998.
9. K. Fujimura and Y. Nakajima, "General-purpose Digital Ticket Framework", 3rd USENIX Workshop on Electronic Commerce, August 1998, pp. 177-186.
10. S. Glassman, M. Manasse, M. Abadi, P. Gauthier, and P. Sobalvarro, "The Millicent Protocol for Inexpensive Electronic Commerce," In Proceedings of WWW4, December 1995.
11. V. Moscaritolo and A. N. Mione, "PGPticket", IETF Internet Draft, November 1998.
12. Y. Nakajima and K. Fujimura, "XML Ticket Model and Syntax Specification," IETF Internet Draft, to appear.
13. K. Otani, H. Sugano, and M. Mitsuoka, "Capability Card: An Attribute Certificate in XML", IETF Internet Draft, November 1998.
14. Peter Wayner, "Digital Cash", Academic Press Ltd., 1997.
15. P. Zimmermann, The Official PGP User's Guide, MIT Press, 1995.
16. Document Content Description for XML (DCD), The World Wide Web Consortium, Note, 1998, https://www.w3.org/TR/NOTE-dcd
17. Extensible Markup Language (XML) 1.0, The World Wide Web Consortium, Recommendation, 1998, https://www.w3.org/TR/REC-xml
18. Resource Description Framework (RDF) Model and Syntax Specification, The World Wide Web Consortium, Recommendation, 1998, https://www.w3.org/TR/REC-rdf-syntax/
19. Schema for Object-oriented XML (SOX), Note, 1998, https://www.w3.org/TR/NOTE-SOX/
20. ISO/IEC 9594-8 (X.509), Information Technology - Open System Interconnection - The Directory: Authentication Framework