W3C Technology and Society Domain Primelife Logo

W3C Workshop on Access Control Application Scenarios
Agenda 17 and 18 November 2009 -- Luxembourg
ISBN - 978-88-97253-00-6


The draft minutes are available at:

Presentations should be short (15 minutes or so) and focus on salient points that are relevant to the workshop's goals. We aim to encourage plenty of discussion!

The workshop will last from 9am to 5pm each day and you should aim to arrive at 8:30am to collect your name badge, and to meet and greet other participants. We may continue a little later on the first day depending on discussions. The Workshop will be held in the Abbaye de Neumunster in Luxembourg. The Abbaye is easily accessible via a public lift from the city center of Luxembourg where a broad variety of hotels are available.

On behalf of the Chairs, we very much look forward to meeting you there on the 17th.

p.s. if you or your co-authors who are planning on attending the workshop haven't already done so, can each of you please fill out the registration form which is needed for gathering logistical information.

First day - Tuesday, 17th November

8:30 collect name badges, meet and greet other participants

9:00 Introduction by the chairs

Sharing Scientific Data: Scenarios and Challenges (slides), Shirley Crompton (e-Science Centre, STFC Daresbury Laboratory, UK), and Benjamin Aziz, Michael Wilson (e-Science Centre, STFC Rutherford Appleton Laboratory, UK)

Moving beyond copyright to consider data sharing agreements on who can access the data and what obligations are entailed.

Towards an Integrated Approach to the Management, Specification and Enforcement of Privacy Policies (slides), Marco Casassa Mont, Siani Pearson (Systems Security Lab, HP Labs, Bristol, UK), and Sadie Creese, Michael Goldsmith, Nick Papanikolaou (International Digital Laboratory, University of Warwick, UK)

Describes EnCoRe project's approach for privacy policies and argues for higher level representation than XACML.

10:30 Coffee break

Can Access Control be Extended to Deal with Data Handling in Privacy Scenarios? (slides), Laurent Bussard (European Microsoft Innovation Center, Aachen, Germany), Moritz Y. Becker (Microsoft Research – Cambridge, UK)

Describes how SecPAL can be applied to data handling obligations. SecPAL supports statements like X says Y [may|will] do <action> and as such is interesting for delegation mechanisms.

XACML for Export Control and Intellectual Property Protection, John Tolbert, Boeing [cancelled]

Describes XACML attributes for export control and intellectual property.

12:30 Lunch break

Requirements for Policies in Cross-Domain Services Composition (slides), Ulrich Pinsdorf (Microsoft), Jan Schallaboeck (ULD), Stuart Short (SAP)

Requirements for composing cross domain SOA-based services.

ITEF GEOPRIV Authorization Policies, (slides), Hannes Tschofenig, Martin Euchner (Nokia Siemens Networks), Alissa Cooper (Center for Democracy and Technology), Richard Barnes (BBN)

Outline of aims of GeoPriv WG work on policies for location data.

Controlling the unified portrayal of geospatial cross-border maps, (slides) Andreas Matheus, Universität der Bundeswehr München

GeoXACML is an OGC standard describing cross border styling of map data.

15:30 Coffee break

Using XACML for access control in Social Networks, (slides) Anna Carreras, Eva Rodríguez, Jaime Delgado Distributed Multimedia Applications Group (DMAG), Universitat Politècnica de Catalunya (UPC) – Barcelona, Spain

Discusses role of sticky policies and XACML.

Helping users to manage the information they disclose to websites, (slides) Dave Raggett, W3C/ERCIM

Describes ideas for a privacy assistant and its implementation as a browser add-on, and as a trusted intermediary, building upon work in the PrimeLife project. Reality vs illusion questions what users really want.

On Frameworks for the Visualization of Privacy Policy Implications (slides), Rafael Accorsi and Thomas Stocker, Department of Telematics, Albert-Ludwigs-Universität – Freiburg, Germany

It is fairly easy for people to fail to understand the full implications of the privacy policies they have defined, with the consequence of implicitly allowing the collection and usage of data they explicitly did not want to. This paper proposes the need for a framework that would allow people to compute and visualize the implications of a policy, i.e. to make implicit access and usage decisions explicit to users.

Second day - Wednesday, 18th November

The State of the Access Control 2009, Principles, Requirements, Standards, Implementations & Gaps, (slides) Hal Lockhart, Oracle

Notes need for standardization of attributes and the means to transport them. SAML and other lower level standards don't address privacy and high level security properties.

Bottom-Up approach for Compliance: The MASTER position (slides), Emmanuel Pigout, Philip Miseldine, SAP Research

Argues for a bottom up approach to how organizations deal with compliance requirements (internal organization policy, regulations, or standards).

10:30 Coffee break

Towards Standardization of Distributed Access Control, (slides) Mario Lischka, Yukiko Endo (NEC Laboratories Europe, Heidelberg Germany), and Elena Torroglosa, Alejandro Pérez, Antonio G. Skarmeta (Department of Information and Communications Engineering, University of Murcia – Murcia, Spain)

Distributed policies, XACML and SWIFT.

Towards Modelling and Verifying Dynamic Access Control Policies for Web-based Collaborative Systems, (slides) Hasan Qunoo, Masoud Koleini and Mark Ryan, School of Computer Science, University of Birmingham, UK

Modelling and verification framework (X-Policy) for large web-based collaborative management systems.

12:30 Lunch break

Extending XACML for Open Web-based Scenarios, (slides) Claudio A. Ardagna, Sabrina De Capitani di Vimercati, Eros Pedrini, Pierangela Samarati (DTI - Università degli Studi di Milano, Italia), Stefano Paraboschi, Mario Verdicchio (DIIMM - Università degli Studi di Bergamo, Italia)

Describes possible extensions to XACML for web scenarios where servers generally do not have prior knowledge of the requesters. n.b. Not to be confused with open world assumption (as in RDF).

Obligation Standardization, (slides) David Chadwick, University of Kent, Mario Lischka, NEC Europe Ltd

Discusses obligation specification language as an XACML extension.

15:30 Coffee break

Credential-Based Access Control Extensions to XACML, (slides) Jan Camenisch, Sebastian Mődersheim, Gregory Neven, Franz-Stefan Preiss, and Dieter Sommer, IBM Research – Zurich, Switzerland

Argues for use of credentials and how XACML could be extended to support them. Brief description of credential functionality.

PrimeLife Policy Language, (slides) Claudio A. Ardagna, Eros Pedrini, Sabrina De Capitani di Vimercati, Pierangela Samarati (DTI - Università degli Studi di Milano, Italy), Laurent Bussard (European Microsoft Innovation Center, Aachen, Germany), Gregory Neven, Franz-Stefan Preiss (IBM Zurich Research Center, Zurich, Switzerland), Stefano Paraboschi, Mario Verdicchio (DIIMM - Università degli Studi di Bergamo, Italy), Dave Raggett (W3C/ERCIM), Slim Trabelsi (SAP Labs France, Sophia Antipolis, France)

Describes extensions to XACML 3.0 for data handling obligations and credential-based access control. This includes the notion of sticky policies in which personal data are combined with the associated policies, and also policies for third-party access.

Summing Up and closing session