به سمت تجارت امن سهمیه بندی دی اکسید کربن هوانوردی   Towards a secure trading of aviation CO2 allowance

1. Introduction Air transport, as all other socio-technical systems, is always in search of ways for improving its cost efficiency. Programs pursuing this aim have appeared throughout the world: SESAR in Europe, NextGen in USA, OneSky in Australia, SIRIUS in Brazil, or CARATS in Japan. Beyond these different names, they all share similar concepts, such as the idea that efficiency can be improved only by ensuring a continuous flow of information between the agents and stakeholders involved in the operation. Some examples include sharing future trajectory intentions by aircraft, negotiations for slot exchange by airlines, or the continuous monitoring of global mobility and CO2 emissions. Such data flow is also necessary when increasing safety is the objective, i.e. in the analysis of past incidents and accidents, thus of historical operational data. Achieving such seamless flow of information entails two important and contradictory challenges. First, most ATM data are considered confidential and sensitive and, hence, private – both for their commercial value, and for the political or social consequences some of the analyses may cause; any solution should thus guarantee an adequate level of confidentiality. Second, at the same time, data should be stored and processed in a safe and efficient way, which usually implies the use of a cloud-based infrastructure. This may generate security problems, as the exact location of data in the cloud is generally not known (Kaufman, 2009). Present solutions, like SESAR’s System Wide Information Management (SWIM) (Meserole and Moore, 2007), only partially tackle these two problems. Specifically, SWIM is based on a public-key infrastructure, allowing users to only access those sets of data included in their authorisation class. Data are released to the party requiring them, hence the security of the system is as good as the security of the worst procedure implemented by anyone party. As a result, the usefulness of the whole paradigm depends on trust: bothbetween users, and between these and the system managers.