![Page 1: PrimeLife Policy Language - w3.org PrimeLife.pdf · PrimeLife Policy Language Gregory Neven, IBM Research – Zurich ... trigger at 2010/01/01 ≤trigger at 2010/12/31 – actions,](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f105fc17e708231d448cb3c/html5/thumbnails/1.jpg)
© 2009 IBM Corporation
PrimeLife Policy Language
Gregory Neven, IBM Research – ZurichW3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg
Claudio Ardagna, Eros Pedrini, Sabrina De Capitani di Vimercati, Pierangela Samarati, Laurent Bussard, Gregory Neven, Franz-Stefan Preiss, Stefano Paraboschi, Mario Verdicchio, Dave Raggett, Slim Trabelsi
![Page 2: PrimeLife Policy Language - w3.org PrimeLife.pdf · PrimeLife Policy Language Gregory Neven, IBM Research – Zurich ... trigger at 2010/01/01 ≤trigger at 2010/12/31 – actions,](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f105fc17e708231d448cb3c/html5/thumbnails/2.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 2
Scenario
Data Subject
Issuer
Data Controller
DownstreamData Controller
ResourcesNon-personal content, services,…
Collected personal data
Personal Data (PD)Non-certified
Certified: credentials
requestcredential
credential
request resource
request personal data
personal data
resource
requestpersonal data
personal data
![Page 3: PrimeLife Policy Language - w3.org PrimeLife.pdf · PrimeLife Policy Language Gregory Neven, IBM Research – Zurich ... trigger at 2010/01/01 ≤trigger at 2010/12/31 – actions,](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f105fc17e708231d448cb3c/html5/thumbnails/3.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 3
Specific Policy:over specific resource (e.g. BuyService)• Access control policy (ACP):
who can access• credentials to possess (e.g. ID card)• personal data to reveal (e.g. nationality) • conditions to satisfy (e.g. age>18)
• Data handling policy (DHP):how revealed personal data will be treated• Authorizations (e.g. marketing purposes)• Obligations (e.g. delete after 1y)
Generic Policy:DHP over implicitly revealed personal data(e.g. IP address, cookies,…)
• Authorizations (e.g. admin purposes)• Obligations (e.g. delete after 1y)
Types of policies
Data Subject Data Controller
ResourcesNon-personal content, services,…
Collected personal data
Personal Data (PD)Non-certified
Certified: credentials
Specific Policy:over specific personal data (e.g. birth date)• Access control policy (ACP):
who can access (e.g. PrivacySeal silver)• Data handling preferences (DHPrefs):
how is to be treated when revealed• Authorizations (e.g. marketing purposes, forwarded to PrivacySeal gold)
• Obligations (e.g. delete after ≤2y)
Generic Preferences:DHPrefs over implicitly revealed personal data(e.g. IP address, cookies,…)
• Authorizations (e.g. admin purposes)
• Obligations (e.g. delete after ≤2y)
XACML
SAML
request resource
request personal data
personal data
resource
PolicyEngine
PolicyEngine
![Page 4: PrimeLife Policy Language - w3.org PrimeLife.pdf · PrimeLife Policy Language Gregory Neven, IBM Research – Zurich ... trigger at 2010/01/01 ≤trigger at 2010/12/31 – actions,](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f105fc17e708231d448cb3c/html5/thumbnails/4.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 4
Specific Policy:Resource R:• ACP:
• own cred• reveal PD1 under DHP1,
cred.PD2 under DHP2• where φ
• DHP1: …• DHP2: …
Generic Policy:GDHP: …
Interaction overview
Data Subject Data Controller
request generic policy
generic policy matching
request specific policy(R)
specific policy matching
request R, proof(ACP), personal data
R
PolicyEngine
PolicyEngine
Specific Policy:Resource PD1:• DHPrefs1: …
Resource cred.PD2:• ACP2: …• DHPrefs2: …
Generic Policy:GDHPrefs: …
![Page 5: PrimeLife Policy Language - w3.org PrimeLife.pdf · PrimeLife Policy Language Gregory Neven, IBM Research – Zurich ... trigger at 2010/01/01 ≤trigger at 2010/12/31 – actions,](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f105fc17e708231d448cb3c/html5/thumbnails/5.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 5
request specific policy(R)
specific policy matching
request R, proof(ACP), personal data
R
Interaction overview: generic policy negotation
Data Subject Data Controller
request generic policy(fixed location, à la P3P safe zone)
GDHP
GSP
GSP ≤ GDHP ?
generic sticky policy GSP = match(GDHP, GDHPrefs)
PolicyEngine
PolicyEngine
Specific Policy:Resource R:• ACP:
• own cred• reveal PD1 under DHP1,
cred.PD2 under DHP2• where φ
• DHP1: …• DHP2: …
Generic Policy:GDHP: …
Specific Policy:Resource PD1:• DHPrefs1: …
Resource cred.PD2:• ACP2: …• DHPrefs2: …
Generic Policy:GDHPrefs: …
![Page 6: PrimeLife Policy Language - w3.org PrimeLife.pdf · PrimeLife Policy Language Gregory Neven, IBM Research – Zurich ... trigger at 2010/01/01 ≤trigger at 2010/12/31 – actions,](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f105fc17e708231d448cb3c/html5/thumbnails/6.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 6
request generic policy
generic policy matching
request R, proof(ACP), personal data
R
Interaction overview: specific policy negotation
Data Subject Data Controller
satisfy ACP ? (identity selection)sticky policies SP1 = match(DHP1, DHPrefs1),
SP2 = match(DHP2, DHPrefs2)
request policy(R)
ACP, DHP1, DHP2
ACP2, SP1, SP2
proof(ACP2)
satisfy ACP2 ? SP1 ≤ DHP1 ? SP2 ≤ DHP2 ?
PolicyEngine
PolicyEngine
Specific Policy:Resource R:• ACP:
• own cred• reveal PD1 under DHP1,
cred.PD2 under DHP2• where φ
• DHP1: …• DHP2: …
Generic Policy:GDHP: …
Specific Policy:Resource PD1:• DHPrefs1: …
Resource cred.PD2:• ACP2: …• DHPrefs2: …
Generic Policy:GDHPrefs: …
![Page 7: PrimeLife Policy Language - w3.org PrimeLife.pdf · PrimeLife Policy Language Gregory Neven, IBM Research – Zurich ... trigger at 2010/01/01 ≤trigger at 2010/12/31 – actions,](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f105fc17e708231d448cb3c/html5/thumbnails/7.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 7
Interaction overview: resource request
Data Subject Data Controller
request R, proof(φ), PD1, cred2.PD2
R
φ, PD1, cred2.PD2 ⇒ ACP ?check proof(φ)
PolicyEngine
PolicyEngine
request generic policy
generic policy matching
request specific policy(R)
specific policy matching
Specific Policy:Resource PD1:• DHPrefs1:
• Auths1’, Obls1’
Resource cred.PD2:• ACP2• DHPrefs2:
• Auths2’ ⊇⊇⊇⊇ DACP2,Obls2’
Generic Policy:GDHPrefs
Specific Policy:Resource R:• ACP:
• own cred• reveal PD1 under DHP1,
cred.PD2 under DHP2• where φ
• DHP1: …• DHP2: …
Generic Policy:GDHP: …
Specific Policy:
Resource PD1:• ACP = DACP1• SP1
• DHPrefs ≤ SP1
Resource cred2.PD2:• ACP = DACP2• SP2
• DHPrefs ≤ SP2
PolicyEngine
ObligationEngine
![Page 8: PrimeLife Policy Language - w3.org PrimeLife.pdf · PrimeLife Policy Language Gregory Neven, IBM Research – Zurich ... trigger at 2010/01/01 ≤trigger at 2010/12/31 – actions,](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f105fc17e708231d448cb3c/html5/thumbnails/8.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 8
Authorizations and obligations
� General principle: provide – wrapper for user-extensible vocabularies– basic pre-defined vocabulary
� Authorizations– “use for purpose”
• user-extensible (OWL?) ontology of purposes, • basic pre-defined ontology available
– “forward to ACP” = downstream access control� Obligations
– general structure: do action when trigger (from start to end)– pre-defined actions:
• “delete data”• “anonymize data”• “notify data subject”• “write to (secure) log”
– pre-defined triggers:• at time, periodic• data access, data deletion• data loss, obligation violation• aliens landing on earth
![Page 9: PrimeLife Policy Language - w3.org PrimeLife.pdf · PrimeLife Policy Language Gregory Neven, IBM Research – Zurich ... trigger at 2010/01/01 ≤trigger at 2010/12/31 – actions,](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f105fc17e708231d448cb3c/html5/thumbnails/9.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 9
Obligation & authorization matching
automated matching of any two data handling preferences/policies via“less permissive than” relation (≤) defined on
– authorizations, e.g.
use for {delivery} ≤ use for {delivery,marketing}
– triggers, e.g.
trigger at 2010/01/01 ≤ trigger at 2010/12/31
– actions, e.g.
delete firstname, lastname ≤ delete firstname
– obligations
o1=(a1,t1,v1) ≤ o2=(a2,t2,v2) ⇔ (a1≤a2) ^ (t1≤t2) ^ (v1≤v2)
– sets of authorizations and obligations
O1 ≤ O2 ⇔ ∀o1∈O1 ∃o2∈O2 : o1 ≤ o2
– data handling policies
P1 = (A1,O1) ≤ P2 = (A2,O2) ⇔ A1 ≤ A2 ^ O1 ≤ O2
actiontrigger
validity
![Page 10: PrimeLife Policy Language - w3.org PrimeLife.pdf · PrimeLife Policy Language Gregory Neven, IBM Research – Zurich ... trigger at 2010/01/01 ≤trigger at 2010/12/31 – actions,](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f105fc17e708231d448cb3c/html5/thumbnails/10.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 10
Embedding into XACML
![Page 11: PrimeLife Policy Language - w3.org PrimeLife.pdf · PrimeLife Policy Language Gregory Neven, IBM Research – Zurich ... trigger at 2010/01/01 ≤trigger at 2010/12/31 – actions,](https://reader036.vdocuments.us/reader036/viewer/2022070816/5f105fc17e708231d448cb3c/html5/thumbnails/11.jpg)
© 2009 IBM Corporation Gregory Neven, IBM Research – Zurich W3C Workshop on Access Control Scenarios, Nov. 18th, 2009, Luxembourg 11
Summary
� Privacy enhancements
– step-wise interaction: generic policy, specific policy, resource
– reveal attributes vs. prove condition holds
– two-sided data handling policies/preferences, automated matching
– user-extensible authorization/obligation vocabularies,basic vocabularies provided
� Credential-based access control
– attributes grouped in credentials
– technology independence
– policy sanitization
� Based on existing standards: XACML & SAML