Advertisement

Obligation Language and Framework to Enable Privacy-Aware SOA

  • Muhammad Ali
  • Laurent Bussard
  • Ulrich Pinsdorf
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5939)

Abstract

Privacy policies defines rights and obligations on data (e.g. personally identifiable information) collected by services. Tackling privacy policies in a service oriented architecture spanning multiple trust domains is difficult because it requires a common specification and distributed enforcement. This paper focuses on the specification and enforcement of obligations. We describe the requirements, the resulting language, and its implementation. Finally, we compare our results with obligation support in the state of the art. The key contribution of this work is to bridge the gap between specific mechanisms to enforce obligations and underspecified support for obligations in today’s access control and data handling policy languages.

Keywords

Access Control Privacy Policy Policy Language Policy Rule Access Control Policy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Ardagna, C.A., Cremonini, M., De Capitani di Vimercati, S., Samarati, P.: A privacy-aware access control system. J. Comput. Secur. 16(4), 369–397 (2008)Google Scholar
  2. 2.
    Casassa, M., Beato, F.: On parametric obligation policies: Enabling privacy-aware information lifecycle management in enterprises. In: Eighth IEEE International Workshop on Policies for Distributed Systems and Networks, 2007, pp. 51–55. IEEE Computer Society Press, Los Alamitos (2007)Google Scholar
  3. 3.
    Irwin, K., Yu, T., Winsborough, W.H.: On the modeling and analysis of obligations. In: CCS 2006: Proceedings of the 13th ACM conference on Computer and communications security, pp. 134–143. ACM, New York (2006)CrossRefGoogle Scholar
  4. 4.
    Rissanen, E.: OASIS eXtensible Access Control Markup Language (XACML) Version 3.0. OASIS working draft 10, OASIS (March 2009)Google Scholar
  5. 5.
    Hilty, M., Basin, D., Pretschner, A.: On obligations. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 98–117. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Cranor, L., Langheinrich, M., Marchiori, M., Reagle, J.: The platform for privacy preferences 1.0 (p3p1.0) specification. W3C Recommendation (April 2002)Google Scholar
  7. 7.
    TCG: Trusted Computing Platform Alliance (TCPA). Main Specification Version 1.1b, Trusted Computing Group, Inc. (February 2002)Google Scholar
  8. 8.
    Moses, T.: OASIS eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard oasis-access_control-xacml-2.0-core-spec-os, OASIS (February 2005)Google Scholar
  9. 9.
    IBM: Enterprise privacy authorization language (EPAL 1.2)Google Scholar
  10. 10.
    Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    Kagal, L., Finin, T., Joshi, A.: A policy language for a pervasive computing environment. In: POLICY 2003: Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, p. 63. IEEE Computer Society, Los Alamitos (2003)CrossRefGoogle Scholar
  12. 12.
    Hilty, M., Pretschner, A., Basin, D., Schaefer, C., Walter, T.: A policy language for distributed usage control. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 531–546. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  13. 13.
    Pretschner, A., Schütz, F., Schaefer, C., Walter, T.: Policy evolution in distributed usage control. In: 4th Intl. Workshop on Security and Trust Management, Elsevier, Amsterdam (2008)Google Scholar
  14. 14.
    Katt, B., Zhang, X., Breu, R., Hafner, M., Seifert, J.P.: A general obligation model and continuity: enhanced policy enforcement engine for usage control. In: SACMAT 2008: Proceedings of the 13th ACM symposium on Access control models and technologies, pp. 123–132. ACM, New York (2008)CrossRefGoogle Scholar
  15. 15.
    El Rakaiby, Y., Cuppens, F., Cuppens-Boulahia, N.: Formalization and management of group obligations. In: Proceedings of IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY 2009 (2009)Google Scholar
  16. 16.
    Cholvy, L., Garion, C.: Deriving individual obligations from collective obligations. In: AAMAS 2003: Proceedings of the second international joint conference on Autonomous agents and multiagent systems, pp. 962–963. ACM, New York (2003)CrossRefGoogle Scholar
  17. 17.
    Ni, Q., Bertino, E., Lobo, J.: An obligation model bridging access control policies and privacy policies. In: SACMAT 2008: Proceedings of the 13th ACM symposium on Access control models and technologies, pp. 133–142. ACM, New York (2008)CrossRefGoogle Scholar
  18. 18.
    Ni, Q., Trombetta, A., Bertino, E., Lobo, J.: Privacy-aware role based access control. In: SACMAT 2007: Proceedings of the 12th ACM symposium on Access control models and technologies, pp. 41–50. ACM, New York (2007)CrossRefGoogle Scholar
  19. 19.
    Gama, P., Ferreira, P.: Obligation policies: An enforcement platform. In: POLICY 2005: Proceedings of the Sixth IEEE International Workshop on Policies for Distributed Systems and Networks, Washington, DC, USA, pp. 203–212. IEEE Computer Society, Los Alamitos (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Muhammad Ali
    • 1
  • Laurent Bussard
    • 1
  • Ulrich Pinsdorf
    • 1
  1. 1.European Microsoft Innovation CenterAachenGermany

Personalised recommendations