1 / 15

Towards a Policy Aware Web

Towards a Policy Aware Web. Vladimir Kolovski, Yarden Katz, Jim Hendler, Danny Weitzner, Tim Berners-Lee. Why do we need policy awareness. Inflexible and simplistic access control on the web No ability to specify fine-grained access control Workarounds are tedious Privacy issue

yetta-turner
Download Presentation

Towards a Policy Aware Web

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards a Policy Aware Web Vladimir Kolovski, Yarden Katz, Jim Hendler, Danny Weitzner, Tim Berners-Lee

  2. Why do we need policy awareness • Inflexible and simplistic access control on the web • No ability to specify fine-grained access control • Workarounds are tedious • Privacy issue • Lacking in privacy protection mechanisms • Individual privacy might be compromised and liberties put at risk if the information were public • All this leads to reluctance to share information SWPW Presentation

  3. Our Approach • Targeted at casual web users • Easy to write expressive policies • Language with a large library of useful constructs • Relatively low enforcement burden • We propose a rule-based infrastructure that leverages the current web • Allows for publication of declarative access policies • Policies at the level of individual URI • Greater control in the hands of the information owner SWPW Presentation

  4. Why Rule-Based? • Problems with identity- and role-based approaches • Difficult to set up in a fine grained way • Classes (atomic roles) must be set up in advance • Want to specify policies based on attributes of entities • Without knowing their identity • With rules we are able to specify policies based on descriptions SWPW Presentation

  5. Rule-Based Mechanisms • Two types of rule-based access mechanisms: • Mandatory access control • Strictly hierarchical, at universities and governments • The organization enforces security policies, not the individual information owner • Discretionary access control • Access control given to information owner • Approach used in PAW SWPW Presentation

  6. Rules Language • Requirements: • Consistent with Web architecture principles • Used and tested within the web community • Allows to publish, browse, retrieve policies using HTTP • Our language of choice was N3 • extends RDF model • Important feature – proof generation on client side SWPW Presentation

  7. Architecture Diagram SWPW Presentation

  8. Reasoning Support for PAW • cwm as a forward chaining N3 reasoner • Currently generates a proof by serializing the intermediate steps as “reasons” when running the rules engine • Generated proofs rather large in size • Needs pruning • Scale it better by integrating a RETE engine • Proof checking function relatively simple • Can be optimized, too SWPW Presentation

  9. Example • Using REIN as the policy framework and cwm as the proof generator/checker • Photo sharing between members of a girl scout troop • Photos taken at meetings of the troop can be shared with any current member of the troop. • Photos of the girls winning awards can be shared with anyone currently in the troop, or who was ever a member. These award photos can also be shared with the public if, and only if, the girl's parents allow it SWPW Presentation

  10. Example • Judy wants to access the picture, makes a request: <Request rdf:about="judy-req#req"> <requester rdf:parseType="Resource"> <session:secret>judy-passwd</session:secret> </requester> <resource rdf:resource="http://demo.policyawareweb.org/images/group.jpg"/> </Request> • If Judy is allowed to access the picture, she receives: :requester http:can-get <http://www.policyawareweb.org/group-photo.jpg> • In order to generate a proof, Judy runs her request against the policy with cwm’s –why option. • Examples available at http://groups.csail.mit.edu/dig/2005/09/rein/examples/ SWPW Presentation

  11. Architecture Diagram SWPW Presentation

  12. Related Work • Proof-Carrying Authorization (PCA) • Web access control system based on a higher-order, undecidable logic • Proof of access on client side can be generated using a subset of higher-order logic • This subset maps to a simple and decidable application-specific logic • Drawback: client proofs blow up in size • PeerTrust/PeerAccess • Bilateral trust • Sensitive policies • Trust established incrementally • Peertrust - policy and negotiation language based on distributed logic programs SWPW Presentation

  13. Contributions • The field of distributed web access control is already mature, what do we bring to the table? • Our contribution is in putting the following things together: • PCA-like distributed proof of policy compliance • Freely shared, transparent policies • “Webby” reasoner, able to publish, browse and retrieve rules on the fly and allowing for fine-grained specification of policies. SWPW Presentation

  14. Challenges and Future Work • Revisiting proof generation/ checking • Generated proofs for simple policies are over 300KB, cwm takes more than 10s to reason over them • Should we move to a backward chaining reasoner? • Integrate our RETE engine in cwm • Handling inconsistency • Inconsistencies unavoidable because of open ended nature of the web • Investigate ways to be robust in the face of inconsistency • UI and support for writing policies • Casual users don’t want to hack N3 SWPW Presentation

  15. Questions? Thanks for your attention SWPW Presentation

More Related