Abstract
Access control is concerned with granting access to sensitive data based on conditions that relate to the past or present, so-called provisions. Expressing requirements from the domain of data protection necessitates extending this notion with conditions that relate to the future. Obligations, in this sense, are concerned with commitments of the involved parties. At the moment of granting access, adherence to these commitments cannot be guaranteed. An example is the requirement “do not re-distribute data”, where the actions of the involved parties may not even be observable. We provide a formal framework that allows us to precisely specify data protection policies. A syntactic classification of formulas gives rise to natural and intuitive formal definitions of provisions and obligations. Based on this classification, we present different mechanisms for checking adherence to agreed upon commitments.
This work was partially supported by the SBF Project 03.0468-1, “GUIDE: Creating a European Identity Management Architecture for eGovernment”.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Backes, M., Pfitzmann, B., Schunter, M.: A toolkit for managing enterprise privacy policies. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 162–180. Springer, Heidelberg (2003)
Bertino, E., Bettini, C., Ferrari, E., Samarati, P.: An access control model supporting periodicity constraints and temporal reasoning. ACM Transactions on Database Systems 23(3), 231–285 (1998)
Bettini, C., Jajodia, S., Wang, X.S., Wijesekera, D.: Provisions and obligations in policy rule management. J. Network and System Mgmt. 11(3), 351–372 (2003)
Caleiro, C., Viganò, L., Basin, D.: Metareasoning about security protocols using distributed temporal logic. In: Proc. IJCAR 2004 Workshop on Automated Reasoning for Security Protocol Analysis (ARSPA 2004). ENTCS, vol. 125(1) (2005)
Ehrich, H.-D., Caleiro, C.: Specifying communication in distributed information systems. Acta Informatica 36, 591–616 (2000)
Ehrich, H.-D., Caleiro, C., Sernadas, A., Denker, G.: Logics for specifying concurrent information systems. In: Logic for Databases and Information Systems, pp. 167–198. Kluwer Academic Publishers, Dordrecht (1998)
Gal, A., Atluri, V.: An authorization model for temporal data. In: Proc. 7th ACM Conference on Computer Communications Security, pp. 144–153. ACM Press, New York (2000)
Jajodia, S., Kudo, M., Subrahmanian, V.: Provisional authorizations. In: Gosh, A. (ed.) E-Commerce Security and Privacy, pp. 133–159. Kluwer, Dordrecht (2001)
Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Transactions on Database Systems 26(2), 214–260 (2001)
McDougall, M., Alur, R., Gunter, C.A.: A model-based approach to integrating security policies for embedded devices. In: Proc. 4th ACM international conference on Embedded software, pp. 211–219. ACM Press, New York (2004)
Mont, M.C.: Dealing with privacy obligations in enterprises. Technical report, HP Laboratories Bristol (June 2004)
Park, J., Sandhu, R.: The UCON ABC Usage Control Model. ACM Transactions on Information and Systems Security 7, 128–174 (2004)
Pnueli, A.: The temporal semantics of concurrent programs. In: Proc. Intl. Symp. on Semantics of Concurrent Computation, pp. 1–20. Springer, Heidelberg (1979)
Schneider, F.B.: Enforceable security policies. ACM Transactions on Information and System Security 3(1), 30–50 (2000)
Siewe, F., Cau, A., Zedan, H.: A compositional framework for access control policies enforcement. In: Proc. 2003 ACM workshop on Formal methods in security engineering, pp. 32–42. ACM Press, New York (2003)
Smith, S.W.: Trusted Computing. Springer, Heidelberg (2005)
van Oorschot, P.: Revisiting software protection. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 1–13. Springer, Heidelberg (2003)
van Oorschot, P.: Software protection and application security: understanding the battleground. In: State of the art and evolution of computer security and industrial cryptography (2003)
W3C. The Platform for Privacy Preferences 1.0 (P3P1.0) Specification (April 2002), Available at http://www.w3.org/TR/P3P/
Winskel, G.: Event structures. In: Brauer, W., Reisig, W., Rozenberg, G. (eds.) APN 1986. LNCS, vol. 255, pp. 325–392. Springer, Heidelberg (1987)
Zhang, X., Park, J., Parisi-Presicce, F., Sandhu, R.: A logical specification for usage control. In: Proc. 9th ACM symp. on Access control models and technologies, pp. 1–10. ACM Press, New York (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hilty, M., Basin, D., Pretschner, A. (2005). On Obligations. In: di Vimercati, S.d.C., Syverson, P., Gollmann, D. (eds) Computer Security – ESORICS 2005. ESORICS 2005. Lecture Notes in Computer Science, vol 3679. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11555827_7
Download citation
DOI: https://doi.org/10.1007/11555827_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28963-0
Online ISBN: 978-3-540-31981-8
eBook Packages: Computer ScienceComputer Science (R0)