The notion of Hidden Credentials can be applied to protection
of sensitive credentials, resources and policies in Trust Negotiation.
It allows the server to encrypt a resource so that only the client with the
correct credentials can decrypt it. The existing scheme of hidden credentials
requires that the server grant access to the encrypted resource
directly to the client during the negotiation without knowing whether
or not the client can decrypt it. It would be a burden if the resources
were very large. We found that when the server grants access to services
rather than resources, the existing hidden credentials schemes are
insecure under our policy attacks, since the server can illegally learn the
clients credentials from the attack. In this paper, we propose a scheme
to stop the server from mounting a policy attack.