See also: IRC log
<dsr> Introductions by the chairs
<dsr> We go around the room introducing ourselves.
<rigo> Agenda: http://www.w3.org/2009/policy-ws/agenda.html
<rigo> chair: Hal Lockhart
<rigo> scribenick: rigo
Hal: ??
Ben: it depends on DSA
Hal: if you have single file and data and you only want to show image, if offline
Ben: yes, if the policy says it
shouldn't than it shouldn't . If the images was given, not the
experiment, the image will be given, but not the rest
... having ACL on parts of the file is definitely an issue
Greg: enforcement of offline
case?
... does this requires the XACML running on the machine?
Ben: yes, need XACML engine on client machine, PEP
Andreas: sticky policy, policy becomes a kind of license
hal: will be discussed further
=================
-- Hal was asking also about the offline case in previous session and about the access on a part of a file
-- Ben responded that both are needed
Andreas: transfer from US to DE sounds familiar
Tomas: It is worse the other way around
<Mario> other way around is not possible
Nick Papanikolaou == np:
TCB: lawyer and IT don't
understand each other, don't want to understand some time
... language has to be clear enough so that lawyers can
understand
... translation of OJ, sometimes fine translation, sometimes
just plain translation
AM: have you looked into Creative Commons (CC), there is no enforcement (on purpose)?
NP: one person working on contracts, not tech person, several service levels, more controls if you pay more
AM: one CC use would be "for
commercial purpose" under the following conditions
... cannot explicitly says commercial
ME == Martin Euchner
ME: legal stuff is fairly difficult to translate into formal lang. need some intermediate step. company policies are closer, can be translated, at what level you find the abstraction?
NP: ACL is very low level (unix,
XACML), legal language is very high level, have to find common
characteristics, these data can be accessed under following
characteristics
... in paper some examples about structures informal, try to
turn in more formal
Greg: translation manual
NP: yes
MTB: gap between natural language and formal is huge
HL: TC is very interested in
projects. Please contact chair or co-chair
... one of the diagrams, label doesn't match the text
... nature of the level
AM: has someone a GUI for the PAP
NP: that's a goal
HL: figuring what kinds of approaches may work
NP: yes
HL: have to agree what the constructs are
RW: consensus by ambiguity
DC == David Chadwick
DC: agreement on meaning is impossible
TCB: 1000 ambiguity can be burned
down to 20 by formal language
... try to reduce ambiguities as much as possible, but don't
try to remove all, will fail
Emmanuel Pigout == PG: we need to work from both sides to close that gap
RW: can IT deal with ambiguities
TCB: those are just bugs, we know how to deal with bugs, not easy
HL: several people talked lawyers, but formal language is talking about IT
PG: in Master we are using PSL to
close that gap, do verification Mcalculus
... translating the controls that legislations try to put in
place
NP: there is an interpretation and we can explore all the options that legal framework gives
HL: everybody agrees that hardest
gap is between natural language and formal language
... create some kind of formal model and give that some
verification points where you ask back
TCB: you still need some kind of bugzilla to clear the issues
HL: Ben, scientific data provided and share data. Do you have hopes that we can automate
Ben: data is evolving over time, additional prob. Customize policies to data, but haven't arrived there yet, perhaps transformations, what requirements to put on data
HL: prob in ACL is ACL calculus, means what is the comparison between ACL policy of A and ACL policy of B
Greg: scientific data, requirements in Primelife, it also applies to personal data. What are the policy of revealing that you're over 21
RW: scope must be narrow
AM: ACL policy is context
dependent
... in US ID is shown for beer, even if you have grey
hair
... could have an anon token on paper to go to the bar
... policy for accumulated data by service would be hard, so
service should just forget, common criteria
SS: what about selling a token?
HL: information is collected, only known to a small number of people
PS: just need a credential
<dsr> The token needs to be tied to the person, which means that verification could involve collection of personal data, e.g. finger print, iris scan etc.
AM: is there a possiblity if a service is accumulating data about a person, accumulation and policy is an issue
<dsr> or more commonly photos
NP: over 21, you don't do electronically, plastic card "over 21"
HL: how do you prevent from giving it to your buddy
NP: no protection
HL: challenge people to have a different use case than legal age
Raphael: how to enforce policy,
conflict, you want to control your data, therefor you must
identify to control
... very complex prob, working on it
Greg: there are fancy crypto tools on service so that you don't collect data at all, zero knowledge proof
dsr: verified electronically, if its a human, the human will forget. Avoiding to collect
greg: in US they sweep passport in the bar
HL: they try to detect forgeries
TCB: people take hash from ear picture and have an ear scanner in the night club. Night club would have to invest a lot
DC: centralizing data in one
place is a bad idea
... the more decentralized, the better it is.
<dsr> The hash of the ear photo is personally identifying information, and privacy sensitive.
NP: Problem is to keep that up to date
=============================================
<dsr> we break for coffee
<dsr> scribe: dsr
<scribe> scribenick: dsr
HL: re XACML as DH aware AC, SAML and XACML don't cover trust statements
LB: is XACML the right language for privacy enhanced access control?
DC: we don't believe that one global language will be practical, but the response is easier to deal with
HL: XACML's use of obligation
isn't the same as in LB's presentation.
... upper/lower bound on languages is dependent on semantics of
obligations.
LB: for PrimeLife, we are concerned with comparing obligations which isn't covered by XACML.
RW: this could be handled via
Semantic Web for declarative statements as basis for
matching.
... how does XACML handle tests for comparisons?
The next scheduled talk is cancelled as John Tolbert isn't here at the workshop.
HL gives a brief summary of the Boeing position paper on XACML for Export Control and Intellectual Property Protection
HL: excited about people bring
use cases on defining XACML access control attributes.
... we introduced obligations and advice into XACML as part of
3.0
If you don't understand the obligations access should be denied, whilst advice is info to pass to the requester
HL: another new feature is ability to associated attributes with values (?)
We've started work on a profile for obligation families
We have stayed clear of addressing obligation futures
In reference to LP's paper, it seems to me that you need to specify obligation semantics.
LB: we tried to address a useful subset, but to allow for news to be added later
HL: I would be very interested for people to define obligation profiles
RW: one of the use cases is delete my data after 8 weeks, but deletion is triggered by a timer event and isn't an access control operation as such
HL: that is out of scope for the XACML TC
looking forward to DC's presentation tomorrow.
HL: number 1 use case people
mention is logging access.
... responding to RW, there is a relationship to XACML
attributes.
LB: triggers aren't always caused by access control operations
ML: you could think of this as an operation that is triggered by access control but deferred.
RW: time is important
HL: XACML doesn't constrain obligations in any way.
RA: OSL is a kind of temporal logic that is relevant to this.
I can provide a reference later on
DC: we are looking at putting other languages within XACML using a way to notify the language
RW: how do you address interoperability in that case?
HL: it's an improvement of just putting an identifier in XACML.
DC: lots of call outs that trigger obligations. Receiver will balk if it doesn't understand the embedded language
<accorsi> M. Hilty et al. A Specification Language for Distributed Usage Control <http://www.springerlink.com/content/b18836662071k4j6/>.
AM: if you ask a data base for all attributes of an object, the access control mechanism can test to see if the set of attributes is okay
the obligation is used as a filter to strip out attributes the requester isn't permitted to access
DC: we have a similar solution, but use a 3rd call out to the PDP as a gate
AM: when requesting a map, some parts may need to be blurred out/hidden. There is no mechanism to verify that the filtering has happened correctly
Filtering by obligations is one case, another is filtering by attributes and a third is blurring out or transforming the data before delivery
DC: if something fails, you should get an exception
AM: the output for geographical data may be a binary image and not something the PDP can check.
Is there another way of checking?
RW: we need to be clear on terminology, lawyers and techies using different terms causes confusion
HL: the alternative approach is to treat each entity separately for access control purposes.
But that doesn't scale well for non-discrete resources
RW: think of a shop, which needs a feedback channel why people leave the shop without making a purchase
Is there a feedback channel?
HL: XACML 3.0 does provide a
means for listing which policies are relevant
... this doesn't answer AM's question of how to model complex
resources.
AM: the server gets an SQL request which needs to be passed through the access control policy.
NP: a lot of scientific applications have many components within large files for which you want to control access to.
HL: AM's case involves continuous
data which creates problems.
... would like to hear discussion about how Semantic Web can be
used to describe access control policies
RW: CB has worked on this. I am wondering how XACML policies could be annotated.
How could that be exploited by the access control engine?
Where to put the annotation is also a question.
HL: there has been some discussion on RDF in the XACML TC, see our wiki
Some of this is outside the scope of XACML, e.g. on describing relationships between attributes.
But we don't have a lot of SemWeb expertise in the TC and would welcome some help.
RW: e.g. relationship between first and second names of people.
SemWeb is good for managing lots of metadata and performing queries.
RW: many natural language terms in policies can map to the same concept in the ontology
The metadata could help with translating high level descriptions into lower level formal ones.
DC: one of the things we want to see in the SAML profile is the ability to provide dynamic policies
HL: we missed that, but there is a reluctance to re-open things right now.
May be we have been too rigourous...
People trying to apply XACML to webservices are bringing further requirements
There are a lot of implementation choices...
DC: a generic infrastructure works provided you can take advantage of the context
AM: an access request doesn't always have the information needed for access control, and you need to check the result of the data base operation to determine what access control decisions are needed
DC: what about doing something before obligation?
In my talk tomorrow, I will talk about checks before, during and after obligations.
HL: the policy could provide a filter to strip out data that the user shouldn't be shown
DC: we have been experimenting with this for obligations in XACML 2.0
HL: XACML 3.0 obligation families will help with that
RW: the SQL query can be analysed to see which tables/attributes will be involved.
Maybe the metadata could assist with a pre-query check
we break for lunch
some data gathering on restaurant suggestions for this evening
we will make a booking at 6:30pm
and walk straight there from here
<tlr> Scribe: tlr
-> http://www.w3.org/2009/policy-ws/slides/Short.pdf slides
HL: Please explain legal
requirement 1
... are these policies that are sticky to the data
... what is a communicated policy?
SS: Service has given a
policy
... when the user wants to use portal and subsequently
different service
... wants to ensure that policy that was originally declared is
respected
HL: Does user declare to the new
service when composition changes?
... what are you trying to do?
SS: Policy is stuck to the
data
... data and policy are sent (in this example) to temping
agency
... do not want policy to be lost when there is chain of
services
...
??: Are you assuming it's just an initial, immutable policy?
SS: It doesn't change.
Ben: : In case of CV, may extract part of CV, so I've now got a new piece of data
SS: requirement to change one's mind after release of data.
??: that's hard, once data is relinquished
RW: if data is gone, there is no
legal reason to have notice
... so requirement turns void
DC: My understanding -- if data is given and policy is "delete in a year", and user changes mind -- they can't
RW: they can make up their mind
in certain circumstances
... distinction is whether you can get out of a previous
contract -- revocation of permission
... if you drill down, it's all common sense
<rigo> (David Chadwick)
MCB: so you're assuming a
standardized CV in XML?
... there's a standardized European CV format. ;-)
DC: revocation capability?
SS: not quite
DC: note that universities can
revoke certificates
... if use SAML, assume short-term
RW: revocation can occur on behalf of institution or on behalf of data subject
DC: in second case, not revoking qualification, but right to use this
RW: multiple stakeholders in the
model
... need to get relations right
... otherwise, get mixed up
<carrasco> http://europass.cedefop.europa.eu/
RW: sometimes better to start from protocol, some times better to start from real-world assmptions
DC: worse in SAML case with masquerade etc
HL: "give the secretary your key or signature" type of scenario
-> http://www.w3.org/2009/policy-ws/papers/Tschofenig.pdf paper
-> http://www.w3.org/2009/policy-ws/slides/Euchner.pdf slides
<carrasco> Direct to the CV http://snurl/eu-cv
<rigo> ====================================
<rigo> http://www.w3.org/2009/policy-ws/papers/Tschofenig.pdf
TR: deployment and implementation experience?
ME: don't know
GN: what do you mean by "similar to creative commons"?
ME: concept of license needs to be understood, formalized, defined
GN: would it be specified in the
common policy format
... or in English text?
ME: these are ideas; not very specifc; investigation necessary
RW: Do I understand protocol correctly that the device receives request to give geo data out, then policy is attached to geodata, service has to honor the policy
ME: yes
RW: why do they do this?
|: RW, PS: supermarket :|
RW: srsly, do they think the user's conditions will really be accepted?
ME: don't know the geopriv group's motivations
HL: Is the question about tech deployment or legal questions?
RW: consistency with social
conventions is critical for deployment
... I'd love to impose my conditions on US immigration!
HL: understanding is that data is
delivered, conditions are attached
... idea is that the recipient gets benefit of data only if
they accept the condition
RW: they get both -- there's no negotiation, so they honor the conditions -- or not.
HL: absent more elaborate schemes, need to agree in advance that you'll abide by whatever conditions come with the data.
DC: that's the model we're working under in TAS3
RW: doesn't scale
DC: reduce cost of compliance
HL: scope is what's the range of
what can be specified
... then you have the detailed conditions together with the
data
PS: company to company, can think of conditions being pushed
HL: the other way in which these
things get set up is that you have organizations, then
everybody agrees to the conditions
...
??: would perfectly agree that there has to be some kind of framework
scribe: but obfuscation and transformation information might be useful
-> http://www.w3.org/2009/policy-ws/papers/Matheus.pdf paper
<dsr> appears to conflate context dependent styling and desire to show more or less data to people across the border
HL: What's the harm of rendering an interior part of Germany in the Dutch style?
AM: Don't take it that seriously.
HL: oh, so it's a motivating example
<dsr> access control attributes corresponding to evaluating geometric functions over geospatial data
<dsr> these attributes are then used for controlling access to that data
<caribou> scribe: carine
<caribou> scribeNick: caribou
-> http://www.w3.org/2009/policy-ws/papers/Carreras.pdf
-> http://www.w3.org/2009/policy-ws/slides/Delgado.pdf slides
HL: doesn't the social wbe server know all that stuff [who i friend of who]?
JD: we need to express new semantics
HL: of policies or
attributes?
... the policy does not know the semantics of the attributes
foo or bar
JD: yes. But the way you operate on this information is new
??: in terms of validation, XACML does not have the capability of validating credentials
HL: the rules only say "compare this and that"
[point of order: several people talking at the same time, debate deferred to end of session]
<rigo> Jaime: have implementation of a matching from ODRL to XACML and e.g. MPEG21 license to XACML
-> http://www.w3.org/2009/policy-ws/papers/Raggett.pdf paper
-> http://www.w3.org/2009/policy-ws/slides/Raggett.pdf slides
Rigo: ODRL was submitted to
W3C
... push for it?
[Dave starts]
GN: if you identify at 2 places with the same assertion, it's linkable
DR: privacy policy is what data
is collected, what for and how long it will be kept
... privacy assistant that describes the policies to help he
user
<carrasco> XML should be more readable for IT people than a legal contract -:)
<tlr> now, let's talk about perl...
RW: you can generate
human-readable policies from P3P
... lots of legalese don't say anything but "give us your
data"
... we have never played with scenarios like OpenID,
intermediaries
DR: lack of technology to
implement some Directives
... market is on demand of more and more personal data
TCB: if the site is in the EU,
it's easy, if the site is not, it's a problem
... in the cloud
-> http://www.w3.org/2009/policy-ws/papers/Accorsi.pdf paper
-> http://www.w3.org/2009/policy-ws/slides/Accorsi.pdf slides
HL: the analysis depends on the fact that you know the semantics of what the user is sharing?
RA: no more than 10 datatypes with agreed semantics
LB: you compare policy of the _systems_ and policy of the _user_, what do you mean?
RA: policy of the system is e.g. "I need your birthdate and your address"
LB: and policy of the user would be "I'll let you have this...if ..."
RA: yes
RW: visualize an xacml policy?
HL: seen that in a PhD
RW: insisting that semantics of XACML is needed
DR: in DL
HL: any other questions? Proposal to work on finding directions
<rigo> sticky policy: policy information attached to data, a bit like in S/MIME
<rigo> DC: could be like an obligation, whenever data is moved, the subsequent service has to take the obligation to pass the policy information on
<rigo> ...independed PEP that passes on the information on behalf
<rigo> ...reject if a service can't enforce the policy, problem renegate site, "we enforce everything"
<rigo> ...first should be transport the information back and forth
<rigo> ... this is an extension to XACML
GN: do you insist on the sticky policy being signed?
DC: no. It's up to the PEP to
package it with the data
... what we want to do next is to define a std protocol,
application-independent
... we haven't gone to that yet
GN: the sticky policy is dependent on the data poured in that channel
<rigo> DC: we don't have a correct binding
DC: yes. we haven't reached that detailed spec
<rigo> ...between data and policy
GN: once the channel is set up, you put whatever data you want in it?
DC: yes
RW: scenario with data on HTTP then sent by email then put in a SQL DB. How the policy survives?
DC: you can have a conformant
gateway before the SQL DB
... it would store the policy
AM: it's OGC topic18
... a DRM framework, 2 years ago
<rigo> former OpenGIS
AM: Data travelling from one service to another service, it goes into another DB
DC: travels with the policy?
AM: separately
... SAML assertions to protect the policy
<rigo> ME: tls never had sticky policies
<rigo> ...we are talking about higher level policies
HL: you need trust, in downstream parties
<carrasco> http://portal.opengeospatial.org/files/?artifact_id=17802
<dsr> I wonder about web browsers, e.g. use of HTML forms and how the personal data in the form is sent along with a binding to the policy. Personal data may also be sent as part of an HTTP Authorization header, so the binding isn't simple.
DC: if you commit to give in data
to someone, you can't unilaterally change the contract
afterwards
... there are different scenarios
EP: can't we add the temporal
aspect?
... (like cookies)
DC: yes, you can say "for 6 months" but if I change my mind, can I change it back to 3 months
DR: if it's agreed in the policy that you can change
<hlockhar> means of policy expression
<hlockhar> means of transporting and binding policies
<hlockhar> trust of enforcement
<hlockhar> combination with endogenous policies
<hlockhar> revocation?
RW: subsetting policies, you can
only get more restrictive
... opposite of the data aggregation in semantic web, where you
always add
... temporary aspect because of deletion
... datawarehouses are not intelligent
... sticky policies would make them intelligent
DC: metadata can be attributes, policies
HL: policies are not just
metadata, commitment to do something
... are we in a position to implement sticky policies?
TCB: do we have a policy for every URI?
HL: DRM has solved the binding issue 20yrs ago
several voices: no
DC: no it's a trust issue
HL: agreement to standards.
... what's missing?
DC: performance?
HL: what user is going to specify a 1GB policy? :
<dsr> In most cases the policy will be defined by the server, not the user
ME: trust depends on who you are
<dsr> One missing piece is for the policy to indicate the legal jurisdiction
EP: do we have sticky policies smart enough to identify that someone's breaching a rule in some country?
<rigo> ML: internal attributes
<rigo> ...don't want to give them away, some solution the crypto way
<tlr> ScribeNick: tlr
DC: you're talking about the credential validation issue
scribe: then you have a policy
who are trusted issuers of credentials
... I may be the only trusted issuer for data about my
friends
... that's a policy
??: financial criteria would be things you'd want to keep secret
scribe: think about risk management for credit cards
DR: binding agreements betweent
wo parties
... data subject and data controller
... agreement can't be reached unless both parties know what it
is
... have to disclose what's supposed to be the agreement
RW: absolutely
GN: where does the sticky policy
come from?
... I don't like the name of the supermarket problem
... but it's a problem
... have seen both sides
... both policies present and match, or policy imposed?
... Rigo's point is that data controller is often the big
guy
... who can then impose rules, option is take it or leave
it
... in primelife, made some advances along the lines of
"perhaps true, but can at least specify preferences"
... optimize matching procedure
... automate decision whether or not can live with
criteria
... automation happening
HL: there have to be mechanisms for policy agreement
GN: sticky policy as match between preferences and policies
<rigo> HL: add mechanism on policy agreement to the list
GN: downstream data controller to
follow sticky policy
... downstream controller could propose policy
... sticky policy could be matched against that
RW: several hops
DC: whatever mechanism is developed must be recursive
HL: can spend a lot of time on
potential approaches
... nail down what we try to accomplish
RW: some of this was raised by
Greg
... experience from past is you say "need policy
expression"
... it's more complex than just policy expression
... have always somebody come in with additional
information
... ease of extensibility of policy language
... subsequent understanding of policy expression
... one of the biggest issues in this area
... one of my misunderstandings in semweb was
... policy, data, magic happens
... unfortunately, magic doesn't happen
DC: have to assume multiple
policy languages
... and integrating them
RW: protocol level
DC: flag policies with language
RW: bites with stickiness?
... Must be able to consume multiple languages -- add to
list
??: policy references instead of policies?
HL: "if you want a policy, call
me" -- binding to reference, not to policy
... that's neat!
DC: In X.509 put a hash in
DR: not sure we need to assume
multiple languages
... but extensibility and matching in presence of
extensions
HL: too many languages already -- and yes, they're insufficient in ways we don't know yet
RW: P3P semantics for privacy --
not enough
... in access control, need more than just privacy
semantics
... know in baseline policy language how to deal with
proliferation
HL: hope change would be
independent
... an XACML policy says "XACML" right on top
... would hope that binding, trust arrangement etc be
independent of expression language
DR: for matching, need semantics
HL: combining, yes
RW: mustUnderstand
... baseline of what have to understand
HL: out of time
... need for tools
... any last words?
ME: not sure end users need to understand
SS: managing policies -- systems
administrator
... user needs to remember
... sys admin might have hundreds or thousands of policies
RW: JRC Policy Editing tool
... very feature rich
... mind numbingly feature rich
... challenge for server is to reduce complexity
... challenge for user is "justice has to be seen to be
done"
... can have all the tools of this world -- if people don't get
the feeling that privacy happens, it's not worthwhile
ML: : object to "end users don't need tools"
<rigo> ML:
ML: need some tools to specify policies, some tools to visualize how policies affect data
<carrasco> http://sn.im/youth-lux for posterity -:)
<scribe> done
This is scribe.perl Revision: 1.135 of Date: 2009/03/02 03:52:20 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/worth/worse/ Succeeded: s/to/for/ Succeeded: s/he/here/ Succeeded: s/??/Ben:/ Succeeded: s/??/DC/ Succeeded: s/ITEF/IETF/ Succeeded: s/dat/data/ Succeeded: s/Topic: Controlling the unified portrayal of geospatial cross-border maps// Succeeded: s/several/several people/ Succeeded: s/from MPEG21/e.g. MPEG21 license/ Succeeded: s/other way around would be better/other way around is not possible/ Succeeded: s/assertions/assertion/ Succeeded: s/facts/fact/ Succeeded: s/Hello World// Succeeded: s/hello rigo// Succeeded: s/wat/want/ Succeeded: s/ODC/OGC/ Succeeded: s/unliaterally/unilaterally/ Succeeded: s/policies/a policy/ Succeeded: s/side/sides/ Succeeded: s/s// Succeeded: s/tine/time/ Succeeded: s/??/ML:/ Found ScribeNick: rigo Found Scribe: dsr Found ScribeNick: dsr Found Scribe: tlr Inferring ScribeNick: tlr Found Scribe: carine Found ScribeNick: caribou Found ScribeNick: tlr Scribes: dsr, tlr, carine ScribeNicks: rigo, dsr, tlr, caribou WARNING: No "Present: ... " found! Possibly Present: AM Andreas Ben DC DR EP GN Greg Gregory HL JD Jaime LB MCB ME ML MTB Mario MarioL NP PG PS RA RW Raphael Rigo SS TCB TR Tomas accorsi caribou carrasco dsr elenat hal hlockhar mari1 nikos renato samarati scribenick tlr world You can indicate people for the Present list like this: <dbooth> Present: dbooth jonathan mary <dbooth> Present+ amy Agenda: http://www.w3.org/2009/policy-ws/agenda.html Got date from IRC log name: 17 Nov 2009 Guessing minutes URL: http://www.w3.org/2009/11/17-acas-minutes.html People with action items:[End of scribe.perl diagnostic output]