The Architecture of a Privacy-Aware Access Control Decision Component
Today many interactions are carried out online through Web sites and e-services and often private and/or sensitive information is required by service providers. A growing concern related to this widespread diffusion of on-line applications that collect personal information is that users’ privacy is often poorly managed and sometimes abused. For instance, it is well known how personal information is often disclosed to third parties without the consent of legitimate data owners or that there are professional services specialized on gathering and correlating data from heterogeneous repositories, which permit to build user profiles and possibly to disclose sensitive information not voluntarily released by their owners. For these reasons, it has gained great importance to design systems able to fully preserve information privacy by managing in a trustworthy and responsible way all identity and profile information.
In this paper, we investigate some problems concerning identity management for e-services and present the architecture of the Access Control Decision Function, a software component in charge of managing access request in a privacy-aware fashion. The content of this paper is a result of our ongoing activity in the framework of the PRIME project (Privacy and Identity Management for Europe) , funded by the European Commission, whose objective is the development of privacy-aware solutions for enforcing security.
KeywordsAccess Control Access Control Policy Access Control Model Access Request Privacy Preference
Unable to display preview. Download preview PDF.
- 1.Ardagna, C.A., Damiani, E., De Capitani di Vimercati, S., Samarati, P.: A Web Service Architecture for Enforcing Access Control Policies. In: Proc. of the First International Workshop on Views On Designing Complex Architectures (VODCA 2004), Bertinoro, Italy, September 11-12 (2004)Google Scholar
- 2.Ardagna, C.A., Damiani, E., De Capitani di Vimercati, S., Samarati, P.: Towards Privacy-Enhanced Authorization Policies and Languages. In: Proc. of the 19th Annual IFIPWG 11.3 Working Conference on Data and Applications Security (IFIP), Nathan Hale Inn, University of Connecticut, Storrs, USA, August 7-10 (2005)Google Scholar
- 3.Ardagna, C.A., De Capitani di Vimercati, S.: A comparison of modeling strategies in defining XML-based access control languages. Computer Systems Science & Engineering Journal (2004)Google Scholar
- 4.Ashley, P., Hada, S., Powers, C., Schunter, M.: Enterprise Privacy Authorization Language(EPAL). IBM Research (2003)Google Scholar
- 5.Ashley, P., Hada, S., Karjoth, G., Schunter, M.: E-P3P privacy policies and privacy authorization. In: Proc. of the ACM workshop on Privacy in the Electronic Society (WPES 2002), Washington, DC, USA, November 21 (2002)Google Scholar
- 6.Bonatti, P.A., Olmedilla, D.: Driving and monitoring provisional trust negotiation with metapolicies. In: Proc. of the IEEE 6th International Workshop on Policies for Distributed Systems and Networks (POLICY 2005), Stockholm, Sweden, June 6-8 (2005)Google Scholar
- 8.Cranor, L., Langheinrich, M., Marchiori, M., Presler-Marshall, M., Reagle, J.: The Platform for Privacy Preferences 1.0 (P3P1.0) Specification, http://www.w3.org/TR/P3P/
- 9.Damiani, E., Corallo, A., Elia, G.: A Knowledge Management System Enabling Regional Innovation. In: Proc. of the VI international conference on Knowledge-Based Intelligent Information & Engineering Systems (KES 2002), Crema, Italy, September 16-18 (2002)Google Scholar
- 11.Farrell, S., Housley, R.: An Internet Attribute Certificate for Authorization. Request For Comments 3281, Internet Engineering Task Force (2002)Google Scholar
- 13.International Security, Trust, and Privacy Alliance (ISTPA), http://www.istpa.org/
- 14.ITU Telecommunication Standardization Sector (ITU-T). Information Technology Open Systems Interconnection - The Directory: Authentication Framework. Recommendation X.509 (03/00), International Telecommunication Union (2000)Google Scholar
- 17.Karjoth, G., Schunter, M., Waidner, M.: Privacy-enabled Services for Enterprises. In: Proc. of the 13th International Conference on Database and Expert Systems Applications (DEXA 2002), Aix-en-Provence, France, September 2-6 (2002)Google Scholar
- 18.PRIME (Privacy and Identity Management for Europe), http://www.prime-project.eu.org
- 19.Reasoning on the Web (REWERSE), http://www.pms.ifi.lmu.de/rewerse-wga1/index.html
- 22.XACML - (eXtensible Access Control Markup Language), http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=xacml#XACML20