A Review of Trust Management, Security and Privacy Policy Languages

Policies are a well-known approach to protecting security and privacy of users as well as for flexible trust management in distributed environments. In the last years a number of policy languages were proposed to address different application scenarios. In order to help both developers and users in choosing the language best suiting her needs, policy language comparisons were proposed in the literature. Nevertheless available comparisons address only a small number of languages, are either out-of-date or too narrow in order to provide a broader picture of the research field. In this paper we consider twelve relevant policy languages and compare them on the strength of ten criteria which should be taken into account in designing every policy language. Some criteria are already known in the literature, others are introduced in our work for the first time. By comparing the choices designers made in addressing such criteria, useful conclusions can be drawn about strong points and weaknesses of each policy language.

[1]  K.E. Seamons,et al.  Automated trust negotiation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[2]  Pierangela Samarati,et al.  Regulating service access and information release on the Web , 2000, CCS.

[3]  Amir Herzberg,et al.  Access control meets public key infrastructure, or: assigning roles to strangers , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[4]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[5]  Deborah Kurata Introduction to the Web , 2002 .

[6]  Marianne Winslett,et al.  Requirements for policy languages for trust negotiation , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[7]  Jeffrey M. Bradshaw,et al.  Semantic Web Languages for Policy Representation and Reasoning: A Comparison of KAoS, Rei, and Ponder , 2003, SEMWEB.

[8]  Timothy W. Finin,et al.  A policy language for a pervasive computing environment , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[9]  Ninghui Li,et al.  RT: a Role-based Trust-management framework , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[10]  Dennis G. Kafura,et al.  First experiences using XACML for access control in distributed systems , 2003, XMLSEC '03.

[11]  Jeffrey M. Bradshaw,et al.  KAoS policy and domain services: toward a description-logic approach to policy representation, deconfliction, and enforcement , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[12]  Anne H. Anderson An introduction to the Web Services Policy Language (WSPL) , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[13]  Peter Sewell,et al.  Cassandra: distributed access control policies with tunable expressiveness , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[14]  Marianne Winslett,et al.  No Registration Needed: How to Use Declarative Policies and Negotiation to Access Sensitive Resources on the Semantic Web , 2004, ESWS.

[15]  Anne H. Anderson,et al.  A comparison of two privacy policy languages: EPAL and XACML , 2006, SWS '06.

[16]  Piero A. Bonatti,et al.  Advanced Policy Explanations on the Web , 2006, ECAI.

[17]  Nahid Shahmehri,et al.  Privacy in the Semantic Web: What Policy Languages Have to Offer , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[18]  Letizia Tanca,et al.  The Semantic Web Languages , 2009, Semantic Web Information Management.

[19]  Margo McCall,et al.  IEEE Computer Society , 2019, Encyclopedia of Software Engineering.