See also: IRC log; Workshop home page; agenda; minutes of day 1
AA: What is different from DRM?
PC:
Access and usage of privacy preference engine giving more...
... flexibility to the user / DRM is more complicated and ..
... application-specific. Here user-centred stage.
GH: How many users were tested?
PC: 12 users for pre-study, for other components 40 users
GH: Published?
PC: Now first findings (slides)
GH: What does "Personal semantic attack" mean?
PC: E.g. stalking in social networks, i.e. people you know can be the attackers
RI: Comment
on DRM: two meanings of in term "sharing": disclosing to...
... outside (public) or having family members which have access to content
...
... with the same rules -> in this case it's not about preferences ...
PG: For
people with disabilities it is important to control when to...
... disclose handicap information. Which kind of policies deals with that?
...
... How far are ontologies on that?
GH: More information in IBM Report RZ 3674 out end of October
(pre-copies could be provided by Giles)
PC: Data
you wanted to protect (AIDS test to be deleted) - If you ...
... use now numbers representing this: How does this work for the end-user?
...
GH: Not shown to the user, automated system; important point: provable unlinkable to the user
RW: SPARQL - working draft (after having been candidate for standardisation)
GH: not necessarily to use SPARQL, but maybe XACML or SAML
DJW: How
strong the de-identification is in the presented environment? ...
... Isn't there a trade-off between anonymity and reliability? You have to
...
... persuade someone to trust the assertions ...
MH: With the anonymous credential technology you can have both anonymity and accountability.
DJW: But
possibility to link by additional information (being member...
... of a club and buying toothpaste at 9 o'clock each day)
PC: Make it harder to de-identify / link
HT: Does X.509 work? Certificates could be generated on the fly
GH: We haven't looked into that - more discussion later on
HT:
Bunch of related projects, e.g., in OpenID, SXIP, IETF: How is ...
... this work related? Differences? What are the assumptions in this case?
...
GKA: Here theoretical background: sound cryptographic assumptions
GH: Really unlinkability
FW: Please explain second example: Why driver's licence without name?
GKA: You may question whether this is a good example. Take another one, e.g. AIDS test.
LFP:
Strength in unlinkability, but weakness: identity theft. Here you ...
... use open transfer of attributes - at least in the current setting.
GKA:
Don't agree - it is not about data, but only make a proof about...
... data. Replay not possibility.
PG: Software available? License?
GH: Will be Open Source.
GKA: Will check license and come back to you.
SP: Hard to achieve that people don't work on real data.
GKA: Notion of k-anonymity in databases. But how much information could be used by real attackers?
GH: What we
have: For a given piece of knowledge: ...
... if you have a reasoner in the system, you could warn the user about
inferences.
DJW: But problem if you move from a closed world to an open world.
AA: Have you really addressed the problem that the query is minimal?
GH: We
addressed at least that it is possible to have a minimal...
... query, but not how to generate minimal queries.
GKA: This is also about preferences.
DJW: What do you do with that now? Knowledge is made by a number of queries?
AA: Problem
"I want to use a specific application which asks for a lot...
... of data - I cannot afford the time to question these requests." ...
PC: We use ontology model - we have semantic data which we can attach to the data.
MH: Today we
are bound to law, tradition, specific purpose requests...
... Solutions by auditing processes, privacy seals, user feedback ...
... processes, information services by third parties or peers (work in being
...
... done in PRIME). No "artificial intelligence semantic application" in
sight.
(scribe misses part of discussion)
JH: There will
be cases where we cannot do a complex reasoning, but...
... we may use chunking: grouping information into chunks which then enable
...
... reasoning. Then forwarding rest to humans or so to make the decision.
GH: To
summarize: We don't know what the minimal assertion is, but we...
... can implement it with this technology.
SP: privacy policy comparison seems to be key element of approach, provide tech details
MHY: our
approach is only protocol, do not work about policy comparison...
... use p3p, compare p3p policies
RW: There was
a project from nnda around p3p, that use hashed poicies, that were registered
wit MITI....
... are you using the findings of this project?
MHY: no, not aware
LFP:
have to consider policy is not the contract...
you cannot define fixed sets, they are oftn changed in the couse of
negotiation.
MHY: Framework works for mobile carriers.
DJW: in us and european consumer protection laws the question is, what is the consumer reasonably believed
AA: Are your policies specific to a particular set, do you have different policies for each p3p-option?
MHY: It is a complete set of p3p-options.
ED: what
about access control. the mobile terminal will notify terminal...
... access control is the other way around, you need to pose conditions...
... how does this fit?
HT: we
like to see the end user participate, more of a religious question...
... it would be possible to have the network do the work as well...
LFP: why did you not refer to idlf-work?
<rigo> ...privacy is seen different than OMA and 3GPP
<rigo> Johan: in OMA they are developing a complete different model, and there is some work need to re-converge
HT: There are a number of folks who use O.M.A. in a different way.
JH: You will have to adress this.
<rigo> Danny: It will be hard to have a universally accepted policy framework, not obvious and have to pay attention to fragmentation
DJW: it is only to observe that different groups have different sets of requirements.
... We would like to use everything we can from p3p...
... it would be good if w3c would contribute to ietf.
TLR: proposes to continue this discussion over lunch.
RW: as a warning: we are talking two paradigms...
... service offering services ./. preferences on user side.
<rigo> policies take different sematics than preferences that can be sent forward
HT: I do
not think oma is any simpler...
... we tried to talk to them, but the formats are incompatible...
... look at the standards, we use sip...
... their expertise is strong, but there were not a lot of contributions in
an ip-based environmet.
GH: how do you trust the groups (eg. the girlscouts in the example)
DJW: you
write the rule, where you specify who to trust. there is no absolute measure
of who to trust.
... with reard to authentication, we have put that out of scope, but we can
refer to the existing ones, this is not where our problem is
... you could always specify, a rule has to be signed by p3p.
PC: can you also make assertions about devices as opposed to social networks?
DJW:
yes.
... it is an enormous HCI challenge.
HT: we
had to develop a language for privacy rules...
... because we had to transmit possible changes to the presence server...
... (on o.m.a.) you have to be very specific, with some of the items in the
picture there is a lot of discussions of not using it...
<rigo> HT: presence work is often used as is...
HT: the difficulties show up, eg. should the endhost really see location.
<rigo> ...privacy is seen different than OMA and 3GPP
<rigo> Johan: in OMA they are developing a complete different model, and there is some work need to re-converge
HT: There are a number of folks who use O.M.A. in a different way.
JH: You will have to adress this.
<rigo> Danny: It will be hard to have a universally accepted policy framework, not obvious and have to pay attention to fragmentation
DJW: it
is only to observe that different groups have different sets of
requirements.
... We would like to use everything we can from p3p...
... it would be good if w3c would contribute to ietf.
TLR: proposes to continue this discussion over lunch.
RW: as a
warning: we are talking two paradigms...
... service offering services ./. preferences on user side.
<rigo> policies take different sematics than preferences that can be sent forward
GH: Also look at the difference between protocol and semantics.
HT: I
can see how Rigos comment would fit into a sip environment...
... usually you do not talk to a presence you do not know, because it is your
(your providers) server.
... often it is said, the work is too complex.
LFP: you have to manage all of this, you cannot stop at the protocol level.
DJW:
Will go through themes that came up repeatedly ...
... some things need more research ...
... "what is user-centric" is likely to be interesting, but lengthy ...
... from several conversations, interest expressed in policy interoperability
...
... mechanisms for expressing mappigs among different policy languages ..
... mobile environment might have one way for describing these ...
... other kinds of ubiquitous computing env might have diff policy language
...
... to express rules over same kind of info ...
... describe how these kinds of policies relate, so one can reason over them
...
... to editorialize, either there's one language, or one needs to talk about
...
... fulfilling interop needs between different kinds of policies ...
... talked about ways in which access control and usage control paradigms
relate ...
... synthesize into common framework? ...
... subsumption? ...
... talked about need to express and bundle up user preferences ...
... have pre-defined sets of preferences? ...
... have standard way to express these preferences? ...
... caveat that came up in discussions: ought to be aware of expectations for
...
... deployment, time horizons, implementaton efforts ...
... ought to be aware whether talking about s13n with near-term impact ...
... or whether we're doing work that's way out there and that might be picked
up eventually ...
... seemed to hear preference towards near-term focus ...
... how do things relate to company priorities ...
... don't need to debate this ..
... but it's a theme to keep in mind ...
... are people generally comfortable with these topics, policy interop,
framework, user preferences ...
GH: no updates since this morning?
DJW: policy interop was talked about a bit more ...
GH: language
for evidence and certification ...
... but maybe that was my particular topic ...
... maybe it's not privacy related enough ...
... that's all part of the use idemix area etc ....
DJW:
subset of point one, interop between policy languages?
... in order to have interoperable rule sets, need interoperability of what
they operate on ...
GH: could be
very specific
... if it's gonna be done at all, needs work toward that thing alone, not as
part of other stuff ...
DJW: This doesn't assume how the work get done ...
GH: just mention it
DJW: identity assertions?
TLR/RW/GH: no, it's about the evidence that backs these
GH: maybe mention idemix; strong relationship
RW: don't
forget what Ernesto said yesterday ....
... conditions, actions, obligations ...
SP: bind
follow-ups to original scope of workshop ...
... impression that some of this might be out of scope ...
... can we re-bind to the initial questions of negotiation and
enforcement?
... make clear how related to the original topics ...
DJW: suggestions?
SP: see
language interoperability -- enforcement over a biz process ...
... if we don't have language interoperability, cannot guarantee privacy
enforcement ...
... over a biz process ...
... DRM debate -- connection not evident ...
DJW: Don't think this proposes to have the DRM debate, but asks whether DRM techniques might be useful ...
SP: Make concrete what the relationship between privacy and DRM might be.
DJW: Can keep that in mind, good point.
MCM:
related to pont 2 (DRM), talked about common framework ...
... access control, usage control, data handling ...
RW: This is conditions etc
MCM: Framework!
RW: points 2 and 3
PS:
??
... data handling as concept is richer than obligations only
JJB: struck
by word "ontologies"
... do we have a world ontologies library?
... make all the ontologies accessible
DJW:
several
... we may have too many ...
... we can talk about it more ...
JJB: store them all in a repository ...
DJW: will pose as question under point 1 ...
JCP: negotiation was in the
workshop title ...
... negotiation protocol ...
... negotiation will also need metric ...
DJW:
negotiation was in the title of the workshop ...
... we might not have heard so much about it ...
... this list reflects what we did talk about, not what we should have talked
about ...
... explore negotiation further? ...
... not obvious that standardization is req on negotiation protocol ...
... possible to assert that negotiation can emerge on top of standard policy
languages ...
... however, we didn't hear much about it, so we can't conclude a lot ...
JCP: fancy negotiation
schemes where you can ask a lot and get agreement ...
... kind of blue sky attractive ...
... don't think we might have people to do it ...
DJW: "negotiation" under "more research" ...
HT:
commitment to products and implementations for things that take more time
...
... is tricky ...
DJW:
negotiation was in scope for original P3P work ...
... but didn't work out ...
... tremendous amount of knowledge of this in the agent community ...
... that community clearly knows something about it ...
PC: link up with the agent community
HL: privacy vs
user convenience / together with user convenience ...
... as well as privacy and authentication ....
... is that covered there? ...
... authentication doesn't always require identification ...
... put that into the research corner ...
DJW: We
heard all the work going on in PRIME on privacy-friendly
auth{orization,entication} techniques ...
... relevant? ...
HL: not sure
whether more research is needed ...
... marit?
MH: giles?
DJW: one piece of it is standard way of describing evidence ...
GH: that might be enough for today
HL: well, question was what requires more research ...
MH: chunking
could be very much of interest, not for standardization ...
... but for research ....
... user support ...
... minimization of requests ...
HL: user convenience, too
DJW: research question?
HL: user convenience during data conveyance in combination with privacy.
GH: what's data conveyance?
HL: that's disclosing personal data
GH: vague
HL: thing is
that user convenience is incredibly important in mobile world ...
... constraints ...
... small screens ...
... slow devices ...
... little bandwith ...
... store info on device, and make it simple to user to fill in forms ...
... use P3P to do that ...
PC: authentication techniques could be an example, but shouldn't be the heading ...
JJB: economic aspects ... dunno whether possible for W3C to organize special day just to dive into the economic aspects ...
RW: that's research ...
SP: support the idea
RW: DIW to host?
SP nods.
JJB: Could also do it in Rotterdam
HL: subject?
JJB: what we need to discuss is whether what we're developing is economically viable ...
DJW: W3C
happy to co-sponsor such an event ...
... it's important to our work ...
... but not our main area of expertise ...
... happy to talk about it ...
SP:
Didn't see a lot on negotiation or economic aspects at this workshop ...
... need to go deeper into that ...
HL: not questioning the day, just asking what you're envisioning. Clarification.
JJB: draft
a program ...
... then limit scope ...
... more than enough to have a small symposion on the economics ...
GH: question that. PRIME spends a lot of money on that topic
GKA: there's more than prime
JJB: PRIME
had economics work package ...
... but they haven't achieved more than describing the borders of the problem
...
... won't go deeper ...
... soeren has a lot of material to discuss, deeper than what's in prime
...
... when there's no proper biz model, things will stay in pockets ...
MH: IST
conference in Helsinki, workshop on biz models for identity ...
... PRIME, FIDIS, OpenTC ...
GH: don't duplicate!
DJW:
suggest to come back to first three topics ...
... sure we'll spin out more new questions as we go ...
... propose to start with first question of policy interoperability ...
... things are likely to happen in a variety of diff policy languages ...
... users gonna have hard time to make choices ...
... user agents gonna have hard time to present useful information ...
... data collectors will have hard time knowing they communicate policies
...
... accurately ...
... some of this is also the problem how back-ends talk to each other ...
... several directions ...
... one is a single language ...
... I'm personally relatively sceptical about that ...
... partially institutional reasons, pratially substantive ...
... promote some degree of greater interoperabiltiy amongst domain-specific
...
... languages? ...
... or is there no solution, and we move on?
PC:
there's a number of diff policy languages out there ...
... many of the domain modeling techniques ...
... different ...
... same true for policies ...
... do we know what those sets of policies are that we can abstract
from?...
... thinking a bit in line with work that came from Sun ...
... Robin's table ...
... guessing that's the very first step ...
... some big steps before that ...
... inventory and analysis of policy languages ...
... which we have today and of which we might want interop ...
SP: join
skepticism about unified language ...
... clarifying interfaces between languages would be big step forward ...
DJW: anne?
AA: There
are cleary some things xacml doesn't do, due to lack ...
... of formal semantic framework ...
... found self thinking "XACML can do that" when listening to other
presentations ...
DJW: how would xacml approach reasoning over P3P policy language and geopriv language?
AA: mapping between the two?
DJW:
trying to give scenario
... run a web site ...
... has a p3p policy ...
... you have a user agent, a browser ...
... with some preferences ...
... it will evaluate preferences against browser ...
... now take the browser and its preferences on mobile device ...
... mobile device also ships location information to me ...
... assume that information includes the name ...
... I'm able to get that information ...
... now, I have your name, that I didn't have before ...
... inferring things about geopriv policy language that I don't know ...
... assume it has a way to say "collect your name, don't" ...
... is there a way to express geopriv and p3p in my browser, and learn
whether my p3p preferences have been respected ...
AA: ontology?
ED: exactly what I meant yesterday, preferences to conditions ...
DJW: trying to get to specific question how xacml will deal with things ...
ED: in
this scenario, xacml is target language ...
... xacml will have the access conditions to data ...
... preferences don't state this in generic declarative way ...
... so not enforcable as such ...
... could those be enforced by translating ...
DJW: not
asking enforcement question, but reasoning question
... what I heard from Anne ...
... is that if there is ontology that links two languages ...
... then XACML interaction (??) ...
AA: what P3P
calls a name includes more things ....
... that might be a subset of what another language calls a name ...
... not trivial ...
HT:
example explained well what the problem is ...
... usage scenarios are different ...
... so you see where mapping would take place ...
DJW: how are they different?
HT:
focusing on SIP-based presence environment ...
... XACML wouldn't fit there, either ...
DJW: why?
HT: in
HTTP case, it was somewhat difficult to extend SIP-based mechanisms ...
... of course, possible to extend everything ..
... can do whatever you want ...
... need more investigation before can say whether it makes sense to combine
things ...
... and align them ...
JCP: ??? is one of worst
ideas we had in recent years ...
... event time based trigger not expressible in xacml? ...
... access control perspective ...
... developed ontology, kind of ...
... enter information ...
... to the first point ...
... don't know evolution of xacml ...
... some 200 functions ...
... data type ...
... if we go to ontology, also need to consider functions ...
... if we want to express what you said, will be difficult, but not
impossible ...
... go for thinking of ontologies mapping ...
GH: isn't solution to this point what you presented this morning, Rein?
DJW: don't know
GH: It's one solution to that exact problem
DJW: given certain conditions, yes
GH: start from scratch with Rein or do what has community?
HT:
Trying to see how xacml fits locational presence ...
... possible to describe conditions and actions ...
... not a big deal ...
... event stuff that was previously mentioned goes beyond access control
...
... requires concept of what do with SIP ...
... when tying geopriv and SIP ...
... presence information ...
... in generic HTTP/web environment, it becomes more difficult ...
... how to send messages? ...
... problem not that things don't work ...
... with some of the mechanisms, it's (from IETF point of view) ...
... tried to get XACML into picture couple years ago; push-back ...
... presence work moving forward and being deployed ...
... operator preferences when deploying ...
AA: If you
want to reason across policies, XACML isn't what you need ...
... different abstraction level ...
... talking about different things here ...
... specific languages ...
... how can we reason over communities of languages is different problem, and
requires different way of expressing it ...
DJW: We
have two sets of questions here ...
... one is, is there a reason to do a broader privacy & access control
lang for web ...
... or for some communities on the web ...
... the other is, how do we deal with language interop isues ...
... second question is in a way more fruitful ...
... communities go off and do what they do ...
... if they think their interop reqs are minimal ...
... lightweight ...
... but also allow to fulfill interop requirements ...
RW: specific
question; came up in PRIME ...
... protocol paradigm ...
... over years of P3P work, saw misunderstanding again and again ...
... Ernesto said "it's a target language" ...
... expressiveness is a function of protocol ...
... If I use a p3p protocol ...
... ask service, draw policy, policy says what service does ...
... one reason for workshop is change of paradigm ...
... sending data to service, expect service to follow rules sent along with
data ...
... "destroy it", things like that ...
... these are a bit different ...
... different from privacy perspective from what we've done so far ...
... big question that came up is whether can push data with xacml ...
... give capabilities, get access ..
... client/server thing ...
... look at data handling paradigm ...
... some web services, acting peer-to-peer ...
... make sure that handling of data item follows rules that were stipulated
before ...
... xacml semantics in this case?
... orthogonal to protocol?
... dependent on protocol?
... might need something else/more ...
... XACML major target language of that kind of system ...
... anne?
AA: Really
want to apologize ...
... not a theoretical language person ...
... for your question ...
... there is at least one ongoing effort to use XACML in association with
data ...
... looked at within trusted computing kind of model ...
... ensure that all access goes through policy ...
... it's not "can XACML do this"?
... but how is it used? What's the security model?
... XACML only a tool ...
... only one component ...
GKA:
xacml as any other policy language is no more or less than an oracle ...
... you feed it with credentials, and then it tells you whether access is
allowed or not ...
... maybe with obligations attached ...
HT: have
to think about architecture ...
... how to attach policy to data ...
... size consideration ...
... large xml documents are an issue in mobile world ...
... have other party online ...
... different ways to use it ...
... implement in a proper way ...
... compiling information in way necessary to get decision ...
(discussion on naming convention)
??: people use in specific way ...
... might have to reconsider a few aspects ...
GKA: deployment question vs. language question
HT: protocol question ...
GKA: differentiate between language as defined by oasis and possible deployments ...
MCM: it
can also be a language issue if you cannot describe the right events to give
an answer...
... it can be not just based on accesses but other events ...
... you provide a set of attributes ...
... if these attributes encode all the right kind of information, then you
are happy with XACML ...
... even data sitting on an enterprise platform needs to be referred to by
policies which need ...
... to be enforced all the time even when data is just sitting there
DJW:
Wrapping up where we are ...
... there are 2 states ...
.. 1. an application uses the policy lang that is an empirical question which
every environment will make. ...
... locally where that's not possible, for whatever reason, some data
abstraction is required ...
... ontologies unify different statements from different languages ...
... nobody suggests that we would make progress towards an über rule
language ...
... Would it be useful for the W3C policy interest group to bring the
communities together ...
... Patricia's suggestion to do a survey of languages out there ..
... who is interested in that ...
... might be relevant to RIF group ...
... that's going on in W3C ...
... work on WS-Policy?
rigo: yes
DJW:
work in WS space that's relevant ...
... useful to have point of contact between that group and policy people here
...
RW: semantic
web services relevant as well ..
... interest group ...
DJW: to
translate, IG is a group that gets together, with relatively minimal support
...
... but group doesn't have charter to produce formal specs ...
... but can produce documents that get reviewed ...
... place to continue conversation in a focused way ...
??: looking at 5, 6, 7 in research points list ...
DJW: let's finish point 1 ...
<Giles> interest in such a thing - patricia, soren,
DJW: had
two specific recommendation ...
... standard language for evidence ...
... john on ontology discovery ...
... giles, want to say anything about this aspect ...
GH: evidence
stuff?
... I said a lot in my talk ...
... but for anonymous credentials, it's certainly important ...
... emphasize importance of separating evidence and assertions ...
... they have been mixed up badly in the past ...
... as soon as you factor out trust ...
... then it creates a lot more power ...
... can have the same assertion, but different kinds of evidence ...
... bring reputation, community, idemix, what have you ...
... then there's aspect of user friendliness ...
DJW:
ongoing discussion in semantic web community ...
... whether to standardize foaf ...
... or some other ontology for describing attributes ...
... names, relationships ...
GH: describe
trust, mechanisms to evaluate trust ...
... who said what about who? ...
DJW:
interesting area ...
... it's the kind of thing that could profit from informal community ...
... don't wanna use the word standard ...
... foaf has evolved in bottom-up way ...
... other lightweight id technologies that need same set of tools ...
... same sort of consensus on terms ...
... and types of data ...
GH: metalanguage
DJW: yeah
GH: starting
point could be paper by Dieter and Giles ...
... ontology sketch ...
DJW:
possible use for a policy interest group ...
... boil a paper down into what could be outlines for a tech spec ...
... get review of it ...
... way to get feed-back from immediate community ...
... get people to help ...
GH:
interested in doing that ...
... maybe not in three weeks ...
SP:
different experts in different languages ...
... bringing these together might be healthy ...
-- short break --
DJW: We
can consider #1 wrapped up ...
... record identities of everybody interested in the Interest Group ...
HT: W3C membership considerations?
DJW:
open for discussion
... suggest PFIG ...
... interested: ...
... Patricia Charlton ...
... Anne Anderson ...
... Piero Bonatti ...
... Giles Hogben ...
... Renato Ianella ...
... Hannes Tschofenig ...
... Marco Casassa-Mont ...
... Pierangela Samarati ...
... Jean-Christophe Pazzaglia ...
... Marit Hansen ...
... Sören Preibusch ...
... Xavier Huysmans ...
... thanks ...
... this does not constitute the creation of the group ...
... some process to go through, find chair, etc ...
... expect to hear back from us ...
... fact that there's this number of people interested is important sign
...
... before go into item 2, general point ...
GP: disability issues ...
... accessibility ...
... negotiate how far to give information ...
... information often asked in very quick way ...
... sign lots of forms without reading at bank ...
... membership in group and the like is very important ...
... include disability info in passport? ...
... does someone know other group? ...
... european disability card? ...
DJW:
useful way to record is as a use case ...
... for preferences and usage rules ...
... use case that want to make sure is satisfied ...
GP: ???
GH: Not
relevant to topic.
... this is about policy languages ...
GP: language should accept input from other way of taking care of this information ...
TLR: vocabulary requirement?
GP: more research.
... looking for others who might be interested ...
... language for representing this information ...
RW: Will go
to Geneva tomorrow, ICTSB meeting ...
... round table of all the major European standardizers ...
... they have a working group that addresses all kinds of disabilities ...
... wihch is called DABSIG (?) ...
... right forum to address these concerns ...
... addressing disabilities, accessibility ...
... far beyond the web and the languages we are talking about here ...
... happy to give reference ...
GP: thanks
JZ: Also relevant to SC27 SGs on identity management and privacy frameworks.
DJW:
Next of our three topics -- talked yesterday about access control, data
handling, usage control ...
... are different, same, overlapping, care about this, ...
... think that from my standpoint, there is substantive ...
... functional difference between rules that govern ...
... access conditions on data, and rules that govern ultimate usage
conditions ...
... say that from a publc policy perspective ...
... not from rules semantic perspective ...
... interesting question: how do we see the interaction betw access control
expr and usage control expr?
RI: example
from rights management perspective ...
... lots of blurring going on ...
... from work in edu sector ...
... want high level licenses ...
... "you can use this content for all students and staff" ...
... what's the access control mechanism to ensure that the folk accessing
that content are students & staff ...
... rights license -> low level access control policy ...
... map together, keep closely aligned ...
... don't want to stipulate low-level details ...
... too binding ...
... separate rights and access control ...
PC: from
our point of view (applications) ...
... social networking, sharing, content ...
... DRM & standards for commercial content, access, usage ...
... learn from it ...
... need simplified model to map what the users need ...
... this goes back to point 1, policy mapping ...
... at some point, go down to action level ...
... kind of the way we've used it ...
... rather than invent new terminology ...
... link that we saw ...
... in terms of usage ...
... more that can be done ...
... first step that we did ...
... enough challenges ...
... something we can pull in ...
PS: re
difference betw drm and dhp ...
... in drm can put any rules on it ...
... any rules that I say applies ...
... when I get songs from itunes, whatever rules are there, enforce ...
... in b2b context, rules that biz imposes have to be accepted ...
... but when user sends stuff to business, can't impose arbitrary rules
...
... some, but not arbitrary ones ...
... Rigo's supermarket example ...
... so there's a difference from DRM ..
... both should be supported ..
... don't know whether same language / same rules ...
... constraints in data handling not related that much to rules, but to data
(??) ...
RI: just to
follow up on that point ...
... ODRL 2 ...
... that we're modeling now ...
... one of things put in there is ability to negotiate betw parties ...
... so it's not purely that one-way thing ...
... negotiation can occur ...
... want to use someone else's negotiation protocol, if possible ...
... instead of reinventing our own one ...
... can we reuse something in the rights management world?
RW: say:
border between drm and data handling blurred -- agree ...
... but they have common characteristic ...
... data is released, but you want to continue to control it ...
... question of how to enforce is the same one ...
DJW:
let's remind ourselves, access control vs usage control ...
... it's the case that DRM can cover both ...
... but they're different ...
... shift from usage rules to access rules is what gets DRM its bad
reputation ...
...
PS:
you say "two kinds of rules, access control and usage" ...
... usage isn't secondary usage, right? ...
DJW: don't mean "usage" in traditional data protection sense ...
AA: examples?
DJW: two
examples ...
... you may never use genetic information to make decisions about health
insurance coverage ...
... you may not copy more than one paragraph of this document ...
... those are both usage rules ...
PS:
secondary usage control?
... constraints should I pass to others?
DJW: I guess those should be expressed as usage rules ...
PS:
call secondary usage ...
... data-handling ....
... another kind of world with respect to usage rules ...
DJW:
marco, referred to data handling rules ...
... not sure what they mean as distinct from other categories ...
Scribe misses part of conversation.
PS: what I call secondary usage is the policy that goes along with the data ...
DJW:
from web perspective, reluctant to divide rules in that way ...
... understand data protection policy purpose for distinguishing between
...
... primary and secondary purpose ...
... important to express ...
... but disinclined to condition or qualify that by notion of transfer ...
... transfer is separate question ...
... can have secondary usage limitation on initial party ...
PS: who is that? ...
DJW: the first guy who gets usage ...
PS: I
give health information to you, and you might have to pass it on ...
... I might want to further restrict what that other party can do ...
... not necessarily the same rules that apply to you ...
... sticky policy ..
DJW: happy to call it anything but access control ...
Scribe misses part of discussion.
PB: support
latest point ...
... don't expect these differences between data handling and access control
to affect shape as language ...
... more relevant to enforcement mechanisms ...
... pretty relevant to enforcement ...
MCM: what was the question to me?
DJW: data handling ... but don't need perfect taxonomy ...
MCM:
what we call data handling in PRIME is obligation stuff ...
... not really access control & how you use data ...
... but rather life cycle handling ...
... data retention is an example ...
... notification ...
PC:
examples due to usage control, when youhand over to second person, what we'Ve
done in system ...
... using policy model conert to rules, write what else can be done to
content when handed over ...
... forward or copy content ...
... view, forward to certain environment ....
... encode into sticky policy ...
... that's usage of content ...
... access is already there ...
SP:
wonder if there may be usage of data without having access ...
... relation between access rules and usage rules ...
XH: makes
sense to make difference between first usage and secondary usage ...
... access control to data ...
... which entities are allowed to access data ...
... usage ...
... user preferences ...
... if you talk about secondary usage, talking about legislation there ...
... again, if I draw the parallel with own experience ...
... in egov ...
... really have specific regulations ...
... scientific purposes: even though you have collected data for specific
purpose, can do other stuff when anonymizing data ...
... important to make the difference ...
... able to talk about other things ...
... not just usage and access control (??) ...
PS:
agree on enforcement problem ...
... specific techniques to make sure policies get enforced ...
... not just enforcement ...
...
... before was talking about secondary usage, but have to correct self ...
... P3P was known as secondary usage control language ...
... can't do everything, only some things -- usage controls ...
... not sure what P3P does, but think it might capture this ...
... hospital example ..
... if my data leave the hospital, there should be constraints ...
... originator control ...
... all my data should be controlled by me ...
DJW:
probably explored as far as we need to ...
... people have talked about diff kinds of rules, and they seemed to fall
into these categories ...
... not sure we need to recognize anything momentous ....
Scribe misses part of discussion.
DJW: we have recognized there's more than one ...
XH:
continue discussion about what renato said ...
... DRM v2 with domains and specs of devices ...
DJW:
sorry to be rude -- want some time to talk about #3 ...
... lots of opportunities to talk about what >1 means ...
... user preferences ...
... questions raised in the 2 days about whether we need a way to express
user preferences ...
... group them, predefined sets ...
... comment, suggested direction? ...
PC: one
of the things that have come up from discussion ...
... ease of use ...
... lots of complexity ...
... map things to predefined set for certain set of applications ...
... other part is getting a privacy model ...
... in a sense that also maps back ...
... pertinent to application sets ...
... unify across different policy languages ...
... express preferences over these abstractions ...
... would help with simplifying things from user standpoint ...
SP:
privacy preferences are private info as well ...
... there may be orgs such as consumer councils that might publish predefined
sets ...
... see that there are languages that are centered on interactions ...
... like P3P, DRM langs, XACML, ...
... these don't reveal preferences
RW: important
part of discussion ...
... perhaps try to conclude ...
... can we leverage XACML in user preference discussion?
... what it does, what it doesn't ...
... important point in workshop ...
... was important in PRIME ...
... will be important in other contexts ...
... mapping ...
AA: Example
for XACML use to express user preferences ...
... perfectly possible to say "I'm willing to give credit card information if
target is in certain domain" ...
... another one might be "willing to give name, if other party is willing not
to pass on info" ...
... there's question of matching those against what target says it's able to
do...
... that, too, can be expressed ...
... neither one of these is XACML policy ...
... expressed using these collections of constraints ...
... expressing sets of preferences ...
... combinations of things you're willing to accept ...
... perfectly possible to express in XACML ...
... possible for target to express capabilities ...
DJW: what do you mean by "not exactly XACML policy"?
AA: It's not
possible to match 2 xacml policies in general ...
... semantics of policies are not something that let you determine that one
is subset of another ...
... but it is possible to match collections of individual constraints that
are expressed using the XACML constraint language ...
GH: would say
preferences are just another kind of rule ...
... don't make them into something special ...
... difficulty is HCI ...
... use standards rule language to express query and event and match on this
...
... then do user-friendly abstraction (which is the hard part) ...
... been there with P3P ...
... APPEL ...
... could have used XPath and added user abstraction ...
DJW:
we're right at end of our alotted time, esteemed co-chair has to leave ...
... don't think we'll get much further on preferences ...
... policy interoperability ...
... hci issues are very real ...
... semantic and computation closely related to policy inteorperability
...
... come back to that ...
... going to suggest that we conclude ...
... unless anyone has anything that they think should cause co-chair to miss
taxi ...
... thanks to Giles & JRC ...
(applause)
DJW: also acknowledge Rigo and Thomas who pulled that together ...
(applause)
(applause for chairs)
DJW:
we'll circulate draft summary report, give you opportunity to comment ...
... will create list for everyone to circulate report, comments, etc ...
RW: would ask whether anyone opposed to being added to list ...
DJW: adequate consent
adjourned
<rigo> noted
<rigo> Kriegelstein wants to be on the mailing list too
[End of minutes]