Abstract
This paper argues that privacy policies in SOA needs a lifecycle model. We formalize the lifecycle of personal data and associated privacy policies in Service Oriented Architectures (SOA), thus generalizing privacy-friendly data handling in cross-domain service compositions. First, we summarize our learning in two research projects (PrimeLife and SecPAL for Privacy) by proposing generic patterns to enable privacy policies in SOA. Second, we map existing privacy policy technologies and ongoing research work to the proposed abstraction. This highlights advantages and shortcomings of existing privacy policy technologies when applied to SOA.
Chapter PDF
Similar content being viewed by others
References
Ardagna, C.A., Cremonini, M., De Capitani di Vimercati, S., Samarati, P.: A privacy-aware access control system. J. Comput. Secur. 16(4), 369–397 (2008)
Ardagna, C., De Capitani di Vimercati, S., Foresti, S., Paraboschi, S., Samarati, P.: Minimizing disclosure of private information in credential-based interactions: A graph-based approach. In: Proc. of the 2nd IEEE International Conference on Information Privacy, Security, Risk and Trust (PASSAT 2010), Minneapolis, Minnesota, USA (August 2010)
Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language, EPAL 1.2 (2003)
Becker, M.Y., Fournet, C., Gordon, A.D.: SecPAL: Design and semantics of a decentralized authorization language. Journal of Computer Security (2009)
Becker, M.Y., Mackay, J.F., Dillaway, B.: Abductive authorization credential gathering. In: IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY) (July 2009)
Becker, M.Y., Malkis, A., Bussard, L.: A Practical Generic Privacy Language. In: Jha, S., Mathuria, A. (eds.) ICISS 2010. LNCS, vol. 6503, pp. 125–139. Springer, Heidelberg (2010)
Bussard, L., Nano, A., Pinsdorf, U.: Delegation of access rights in multi-domain service compositions. Identity in the Information Society 2(2), 137–154 (2009), http://www.springerlink.com/content/020524p066765742/
Bussard, L., Neven, G., Preiss, F.S.: Downstream usage control. In: IEEE Policy 2010Â (July 2010)
ContentGuard: XrML 2.0 Technical Overview (2002), http://www.xrml.org/reference/XrMLTechnicalOverviewV1.pdf
Coulouris, G., Dollimore, J., Kindberg, T.: Distributed Systems. Concepts and Design, 4th edn. Addison Wesley (2005)
Hammer-Lahav, E.: RFC 5849: The OAuth 1.0 Protocol (2010), http://tools.ietf.org/html/rfc5849
Kagal, L., Abelson, H.: Access control is an inadequate framework for privacy protection. In: W3C Workshop on Privacy for Advanced Web APIs (July 2010)
Kantara Initiative: User managed initiative, http://kantarainitiative.org/confluence/display/uma/
Microsoft: Rights Management Services (2009), http://www.microsoft.com/windowsserver2008/en/us/ad-rms-overview.aspx
ODRL: Open Digital Rights Language (ODRL), version 1.1 (2002), http://www.odrl.net/1.1/ODRL-11.pdf
Pinsdorf, U., Bussard, L., Meissner, S., Schallaböck, J., Short, S.: Privacy in Service Oriented Architectures. In: Camenisch, J., Fischer-Huebner, S., Rannenberg, K. (eds.) Privacy and Identity Management for Life, pp. 383–411. Springer, Heidelberg (2011)
Pretschner, A., Schütz, F., Schaefer, C., Walter, T.: Policy evolution in distributed usage control. In: 4th Intl. Workshop on Security and Trust Management. Elsevier (June 2008)
PrimeLife Consortium: Draft 2nd design for policy languages and protocols (heartbeat: H5.3.2). Tech. rep. (July 2009)
PrimeLife Consortium: Second Release of the Policy Engine (D5.3.2). Tech. rep. (September 2010)
PrimeLife Consortium: Infrastructure for Privacy for Life (D6.3.2). Tech. rep (January 2011), http://www.primelife.eu/images/stories/deliverables/d6.3.2-infrastructure_for_privacy_for_life-public.pdf
Rahman, S.T.: Analyzing Causes of Privacy Mismatches in Service Oriented Architecture. Master’s thesis, RWTH (2010)
Rissanen, E.: OASIS eXtensible Access Control Markup Language (XACML) Version 3.0. OASIS committee specification 01, OASIS (August 2010)
W3C: A P3P preference exchange language 1.0, APPEL1.0 (2002)
W3C: The platform for privacy preferences 1.1 (P3P1.1) specification (2006)
Wang, X.: MPEG-21 Rights Expression Language: Enabling Interoperable Digital Rights Management. IEEE MultiMedia 11(4), 84–87 (2004)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bussard, L., Pinsdorf, U. (2012). Abstract Privacy Policy Framework: Addressing Privacy Problems in SOA. In: Camenisch, J., Kesdogan, D. (eds) Open Problems in Network Security. iNetSec 2011. Lecture Notes in Computer Science, vol 7039. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27585-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-27585-2_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-27584-5
Online ISBN: 978-3-642-27585-2
eBook Packages: Computer ScienceComputer Science (R0)