Policy Languages and Their Suitability for Trust Negotiation

  • Martin Kolar
  • Carmen Fernandez-GagoEmail author
  • Javier Lopez
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10980)


Entities, such as people, companies, institutions, authorities and web sites live and exist in a conjoined world. In order to live and enjoy social benefits, entities need to share knowledge, resources and to cooperate together. The cooperation brings with it many new challenges and problems, among which one is the problem of trust. This area is also important for the Computer Science. When unfamiliar entities wish to cooperate, they do not know what to expect nor whether they can trust each other. Trust negotiation solves this problem by sequential exchanging credentials between entities, which have decided to establish a trust relationship in order to reach a common goal. Entities specify their own policies that handle a disclosure of confidential information to maintain their security and privacy. Policies are defined by means of a policy language. This paper aims to identify the most suitable policy language for trust negotiation. To do so, policy languages are analysed against a set of criteria for trust negotiation that are first established.



This research has been supported by the European project “European Network for Cyber-security (NECS)” - the European Unions Horizon 2020 research and innovation programme under the Marie Sklodowska-Curie grant agreement No. 675320 and the Spanish Ministry of Economy and FEDER through the project PRECISE (TIN2014-54427-JIN).


  1. 1.
    Gambetta, D.: Can We Trust Trust? Gambetta, D. (ed.) Trust: Making and Breaking Cooperative Relations, pp. 213–238. B. Blackwell, Oxford (1990)Google Scholar
  2. 2.
    Jøsang, A., Ismail, R., Boyd, C.: A Survey of trust and reputation systems for online service provision. Decis. Support Syst. 43, 618–644 (2007)CrossRefGoogle Scholar
  3. 3.
    Grandison, T., Sloman, M.: A survey of trust in internet applications. Commun. Surveys Tuts. (2000)Google Scholar
  4. 4.
    Winsborough, W.H., Seamons, K.E., Jones, V.E.: Automated trust negotiation. In: DARPA Information Survivability Conference and Exposition, DISCEX 2000, Proceedings, vol. 1, pp. 88–102 (2000)Google Scholar
  5. 5.
    Winsborough, W.H., Li, N.: Towards practical automated trust negotiation. In: Proceedings Third International Workshop on Policies for Distributed Systems and Networks, pp. 92–103 (2002)Google Scholar
  6. 6.
    Yu, T., Winslett, M.: A unified scheme for resource protection in automated trust negotiation. In: 2003 Symposium on Security and Privacy, pp. 110–122 (2003)Google Scholar
  7. 7.
    Moyano, F.: Trust engineering framework for software services. Ph.D. thesis, Lenguajes y Ciencias de la Computacin, Universidad de Mlaga (2015)Google Scholar
  8. 8.
    Winslett, M., Yu, T., Seamons, K.E., Hess, A., Jacobson, J., Jarvis, R., Smith, B., Yu, L.: Negotiating trust in the web. IEEE Internet Comput. 6(6), 30–37 (2002)CrossRefGoogle Scholar
  9. 9.
    Lee, A.J., Winslett, M., Perano, K.J.: TrustBuilder2: a recongurable framework for trust negotiation. No. SAND2007-1928C. Sandia National Laboratories (SNL-CA), Livermore, CA (United States) (2007)Google Scholar
  10. 10.
    Kasem-Madani, S., Meier, M.: Security and privacy policy languages: a survey, categorization and gap identification. arXiv preprint arXiv:1512.00201 (2015)
  11. 11.
    Kumaraguru, P., et al.: A survey of privacy policy languages. In: Workshop on Usable IT Security Management (USM 07): Proceedings of the 3rd Symposium on Usable Privacy and Security. ACM (2007)Google Scholar
  12. 12.
    Seamons, K.E., et al.: Requirements for policy languages for trust negotiation. In: 2002 IEEE Proceedings of the Third International Workshop on Policies for Distributed Systems and Networks (2002)Google Scholar
  13. 13.
    Parducci, B., Lockart, H.: eXtensible Access Control Markup Language (XACML) 3.0. Committee Specification 01, 10 August 2010Google Scholar
  14. 14.
    Ardagna, C.A., et al.: Primelife policy language. In: W3C Workshop on Access Control Application Scenarios. W3C (2009)Google Scholar
  15. 15.
    Trabelsi, S., et al.: PPL engine: a symmetric architecture for privacy policy handling. In: W3C Workshop on Privacy and Data Usage Control, vol. 4, no. 5 (2010)Google Scholar
  16. 16.
    Azraoui M., et al.: A-PPL: an accountability policy language. In: Garcia-Alfaro, J., et al. (eds.) DPM/QASA/SETOP -2014. LNCS, vol. 8872, pp. 319–326. Springer, Cham (2015).
  17. 17.
    Iyilade, J., Vassileva, J.: P2U: a privacy policy specification language for secondary data sharing and usage. In: 2014 IEEE Security and Privacy Workshops (2014)Google Scholar
  18. 18.
    Gall, Y.L., Lee, A.J., Kapadia, A.: PlexC: a policy language for exposure control. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies (2012)Google Scholar
  19. 19.
    Becker, M.Y., Sewell, P.: Cassandra: distributed access control policies with tunable expressiveness. In: Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, POLICY 2004, Proceedings. IEEE (2004)Google Scholar
  20. 20.
    Bertino, E., Ferrari, E., Squicciarini, A.: X-TNL: an XML-based language for trust negotiations. In: Proceedings POLICY 2003, IEEE 4th International Workshop on Policies for Distributed Systems and Networks (2003)Google Scholar
  21. 21.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: XPref: a preference language for P3P. Computer Networks (2005)Google Scholar
  22. 22.
    Jajodia, S., Samarati, P., Subrahmanian, V.S.: A logical language for expressing authorizations. In: Proceedings, 1997 IEEE Symposium on Security and Privacy (Cat. No. 97CB36097) (1997)Google Scholar
  23. 23.
    Clark, J., DeRose, S.: XML Path Language (XPath) Version 1.0. W3C Recommendation (1999)Google Scholar
  24. 24.
    Berker, M.Y., Malkis, A., Bussard, L.: A Framework for Privacy Preferences and Data-Handling Policies. Technical Report MSR-TR-2009-128 (2009)Google Scholar
  25. 25.
    Bonatti, P.A., De Coi, J.L., Olmedilla, D., Sauro, L.: A rule-based trust negotiation system. IEEE Trans. Knowl. Data Eng. 22(11), 1507–1520 (2010)CrossRefGoogle Scholar
  26. 26.
    Dell’Amico, M., et al.: HiPoLDS: A Hierarchical Security Policy Language for Distributed Systems. Inf. Secur. Tech. Rep. 17, 81–92 (2013)CrossRefGoogle Scholar
  27. 27.
    PRML: Privacy Rights Markup Language Specification Version 0.9. Zero-Knowledge Systems (2001)Google Scholar
  28. 28.
    Bonatti, P., Samarati, P.: Regulating service access and information release on the web. In: 7th ACM Conference on Computer and Communications Security, Athens, Greece, November 2000Google Scholar
  29. 29.
    Herzberg, A., Mass, Y., Mihaeli, J., Naor, D., Ravid, Y.: Access control meets public key infrastructure, or: assigning roles to strangers. In: Proceeding 2000 IEEE Symposium on Security and Privacy, S&P 2000, Berkeley, CA, pp. 2–14 (2000)Google Scholar
  30. 30.
    Bertino, E., Castano, S., Ferrari, E.: On specifying security policies for web documents with an XML-based language. In: Sixth ACM SACMAT, Chantilly, Virginia (2001)Google Scholar
  31. 31.
    Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.: The KeyNote Trust-Management System Version 2. RFC 2704, September 1999Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  • Martin Kolar
    • 1
  • Carmen Fernandez-Gago
    • 1
    Email author
  • Javier Lopez
    • 1
  1. 1.Network, Information and Computer Security LabUniversity of MalagaMalagaSpain

Personalised recommendations