Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Document Format for Expressing Privacy Preferences H. Schulzrinne, J. Morris, H. Tschofenig, J. Cuellar, J. Polk, J. Rosenberg.

Published byJayson Lucas Modified over 9 years ago

Similar presentations

Presentation on theme: "A Document Format for Expressing Privacy Preferences H. Schulzrinne, J. Morris, H. Tschofenig, J. Cuellar, J. Polk, J. Rosenberg."— Presentation transcript:

1 A Document Format for Expressing Privacy Preferences H. Schulzrinne, J. Morris, H. Tschofenig, J. Cuellar, J. Polk, J. Rosenberg

2 Status Update A number of editorial issues fixed with the document: http://www.tschofenig.com/drafts/ draft-ietf-geopriv-common-policy-01-from-0.diff.html

3 Multiple elements in the element It is allowed to list more than one identity within a single rule. Based on mailing list discussions Example: alice@example.com bob@example.com

4 Except handling No domain part in the element. Changed from: example.com joe@example.com tony@example.com mike@example.com To: example.com joe tony mike

5 Actions The action was moved to the presence specific authorization document. The common-policy document does not define any actions.

6 Combining Permissions How it works today! (1/2) Allison provided a few policy rules for access to her location information: Conditions Actions/Transformations +--------------------------------+---------------------+ | Id WR-ID sphere from to | X Y Z | +--------------------------------+---------------------+ | 1 bob home A1 A2 | TRUE 10 o | | 2 alice work A1 A2 | FALSE 5 + | | 3 bob work A1 A2 | TRUE 3 - | | 4 tom work A1 A2 | TRUE 5 + | | 5 bob work A1 A3 | undef 12 o | | 6 bob work B1 B2 | FALSE 10 - | +--------------------------------+---------------------+ Bob asks for location information (between A1 and A2).

7 Combining Permissions How it works today! (2/2) Conditions Actions/Transformations +--------------------------------+---------------------+ | Id WR-ID sphere from to | X Y Z | +--------------------------------+---------------------+ | 1 bob home A1 A2 | TRUE 10 o | | 2 alice work A1 A2 | FALSE 5 + | | 3 bob work A1 A2 | TRUE 3 - | | 4 tom work A1 A2 | TRUE 5 + | | 5 bob work A1 A3 | undef 12 o | | 6 bob work B1 B2 | FALSE 10 - | +--------------------------------+---------------------+ Actions/Transformations +-----------------------+ | X Y Z | +-----------------------+ | TRUE 3 - | | undef 12 o | +-----------------------+ Actions/Transformations +-----------------------+ | X Y Z | +-----------------------+ | TRUE 12 - | +-----------------------+ Combining Permissions Algorithm Firing rules

8 Combining Rules (CR) CRs as defined in common-policy-01: — data types of permissions to be combined = Boolean or Undef: if there is one value = true: CV = true otherwise: CV = false — data types of permissions to be combined = Integer or Undef: if all permission values = undef: CV not specified (bad!) otherwise: CV = max {single values} — data types of permissions to be combined = Set or Undef: CV = intersection of all single values not equal undef (CR = Combining Rule, CV = Combined Value)

9 Combining Permissions Enhancement Motivation Rule maker writes authorization policies. He needs to be aware of a few things to understand what he outcome of the rules are: — the combining permissions algorithms and — other authorization rules (such as default rule) Output might not be desired or expected. Legend — D-Flag: Distribute Flag FALSE: Further distribution of the LO is not allowed TRUE: Further distribution of the LO is permitted

10 Example Figure 1: Authorization Policy ConditionsActions/Transforms IdWR-IDD-FlagCivil-Location 1tedFALSEcity 2*TRUEcountry D-FlagCivil-Location TRUEcity Figure 2: Result of a query by WR "Ted" for target "Allison" The result allows "Ted" to distribute fine grained location information.

11 First Solution Approach It is possible to change the semantics of the D-Flag to something which is more "privacy-preserving". Distribution is disallowed if a single rule fires where the DD-Flag is set to TRUE (i.e., where further distribution is not allowed). Legend — DD-Flag: Don't Distribute Flag FALSE: Further distribution of the LO is allowed TRUE: Further distribution of the LO is disallowed

12 Example II Figure 1: Authorization Policy ConditionsActions/Transforms IdLR-IDDD-FlagCivil-Location 1tedTRUEcity 2*FALSEcountry DD-FlagCivil-Location TRUEcity Figure 2: Result of a query by LR "Ted" for target "Allison"

13 Combining Rules Evaluation Current CRs definitions are not always privacy-protecting: — Boolean CR not appropriate for transformation — Integer CR appropriate for enumeration, if full civil info = low integer value, country only = high integer value not appropriate for,, and transformations — Set CR combined value defined to be intersection of the single values would union be more appropriate? (to be privacy preserving)

14 First Solution Approach Evaluation Result: Rules are harder to read but lead to a result which might be more intuitive. strange permissions: — false Passage from the next version of the Geopriv-Policy document: "Latitude resolution permission values are of type Integer. These values MUST be negative, in order to comply with the Integer CR of the common policy spec, see [..]. The resolution is the number of bits as given by the absolute value of the negative integer value of latitude resolution transformation element..."

15 Proposal Six CRs: — Boolean-True: if there is a single value = true, then CV = true — Boolean-False: if there is a single value = false, then CV = false — Integer-Maximum: CV = maximum of single permission values — Integer-Minimum: CV = minimum of single permission values — Set-Intersection: CV = intersection of single permission values — Set-Union: CV = union of single permission values Each permission definition MUST specify the CR that should be used in order to protect privacy. (CR = Combining Rule, CV = Combined Value)

16 Proposal XML Schema Enhancement Example: <xs:element name="latitude-resolution" type="xs:integer" substitutionGroup="cp:transformation"/> Integer-Minimum

17 Non-Identity based Authorization Goal: — Allow authorization decisions based on some knowledge (token, passcode) rather than only on the authenticated identity. Issue also described in the Geopriv requirements document Different approaches: — XCON approach — Authorization policies with tokens/passcodes — Name of the resource itself serves this purpose Are some actions necessary in Geopriv (with respect with the requirements)?

18 Identities The content of the element is assumed to be the authenticated identity of the user. A using protocol describes which entities from the using protocol are matched with the If the element is omitted then it means: — Match for authenticated as well as unauthenticated WRs XCON raised the issue of having support for: — Any authenticated user — Non-authenticated user - but still an identity matching is done Is this something useful for us?

19 Next Steps Update Common-Policy document based on decisions made in this meeting Please send review comments!

20 Questions?

Download ppt "A Document Format for Expressing Privacy Preferences H. Schulzrinne, J. Morris, H. Tschofenig, J. Cuellar, J. Polk, J. Rosenberg."

Similar presentations

XCAP Tutorial Jonathan Rosenberg.

XCAP Tutorial Jonathan Rosenberg.
Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
1 CPCP Hisham Khartabil XCON WG IETF 60, San Diego 2 nd August, 2004

1 CPCP Hisham Khartabil XCON WG IETF 60, San Diego 2 nd August, 2004
Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.
8.2 Discretionary Access Control Models Weiling Li.

8.2 Discretionary Access Control Models Weiling Li.
1 Information Gathering (Requirements Elicitation) Remember: distinguish “requirements” from “design” (big issue here?) Requirements are about “black box”

1 Information Gathering (Requirements Elicitation) Remember: distinguish “requirements” from “design” (big issue here?) Requirements are about “black box”
Privacy-Preserving Trust Negotiations Mikhail Atallah Department of Computer Science Purdue University.

Privacy-Preserving Trust Negotiations Mikhail Atallah Department of Computer Science Purdue University.
Introduction to XLink Transparency No. 1 XML Information Set W3C Recommendation 24 October 2001 (1stEdition) 4 February 2004 (2ndEdition) Cheng-Chia Chen.

Introduction to XLink Transparency No. 1 XML Information Set W3C Recommendation 24 October 2001 (1stEdition) 4 February 2004 (2ndEdition) Cheng-Chia Chen.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Identity, Spheres and Privacy Rules Henning Schulzrinne (with Hannes Tschofenig and Richard Barnes) Workshop on Identity, Information and Context October.

Identity, Spheres and Privacy Rules Henning Schulzrinne (with Hannes Tschofenig and Richard Barnes) Workshop on Identity, Information and Context October.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.

Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Intra-Domain Federation Jonathan Rosenberg Cisco.

Intra-Domain Federation Jonathan Rosenberg Cisco.
Why XML ? Problems with HTML HTML design - HTML is intended for presentation of information as Web pages. - HTML contains a fixed set of markup tags. This.

Why XML ? Problems with HTML HTML design - HTML is intended for presentation of information as Web pages. - HTML contains a fixed set of markup tags. This.
XML CPSC 315 – Programming Studio Fall 2008 Project 3, Lecture 1.

XML CPSC 315 – Programming Studio Fall 2008 Project 3, Lecture 1.

Similar presentations

Ads by Google