Some concerns about intersection and domain independence

[Daniel Olmedilla <olmedilla@l3s.de>]

Dear all,

I have been reading your posts since the beginning of the list. Sorry for the 
late participation but other constraints kept me away from contributing.

I have been working on policy research during the last years, but mostly from 
the academia perspective. Here there are some questions/comments/concerns I 
hope provide some discussion:

- If I am not wrong, WS-PolicyConstraints proposes a concept of intersection 
based on syntactic matching. That's the secret to make it domain independent. 
However, I see semantics as a key point during web service matching. For 
example, imagine an e-shop that accepts any credit cardit. The shop is 
obliged to list all possible "subclasses" of credit card. Probably this is a 
simple example where the number of assertions do not explode. However, now 
imagine that the policy expresses the request for a valid employee id issued 
by a partner company (all partner companies must be listed to do matching) or 
suppose a user willing to make a transaction if it is "secured". While the 
service provider lists only some specific protocols, the client should list 
all possible "secure" protocols in order to be matched. See [1] and [2] for 
some ideas about a matchmaking process taking into account hierarchies of 
concepts. I know that then the complexity is shifted from simple set 
containment (your "is a subset of" operator) to subsumption but my concern is 
whether simple set containment is feasible due to the potential number of 
constraints in real policies.

- Delegation. Imagine a policy that says "employees from our administration 
department or current employees from our partner XYZ are allowed to 
access" (see [3] for other examples). In this case, since it is unlikely that 
XYZ is going to replicate its employee database, delegation is needed. 
Matchmaking is not anymore domain independent, isn't it?. It requires a 
matchmaking process for the first part and an external request for the 
second. How would this be addressed?

- Regarding to intersection, as an extra point of view, I would add that it is 
not necessarily needed to be done in a one-step process. It might be that 
policies are not public, or there are too many in order to try to match them 
all. In such a case, there could be an iteration in which after each 
communication process/iteration of the negotiation new policies may be 
released and taken into account ([3], [4]). I don't see in your current 
document anything that would not allow this kind of negotiations but I just 
point it as a probably different scenario.

A couple of extra questions/comments on the document WS-PolicyConstraints (24 
October 2005):
- Page 6 says "currently most semantic descriptions are captured only in 
custom code modules". Could you extend a bit on this?
- Page 6 also talks about circular dependencies being inconsistent. I just 
would like to point that it is not necessary inconsistent. It is the case of 
OWL (based on description logics) but not of other approaches based on Logic 
Programming (like e.g. [4]). From a declarative point of view, cycles are 
perfectly right and not errors or inconsistences. Furthermore, even though 
cycles might be avoided in a centralized approach, it is not possible if 
distributed. Imagine the following example (extracted from a currently 
submitted paper):
"suppose Bob wants to share his pictures with his friends. Bob protects his 
pictures with a policy that states “only my friends may access my pictures”. 
However, he does not only have a list of his friends but also include that 
“all Alice’s and Frank’s friends are also my friends”. Suppose Alice and 
Frank have a similar policy in which their friends list includes also all 
other’s friends. Given that setup, imagine that Tom requests access to Bob’s 
pictures. Bob’s security agent (SA) checks that Tom is not his friend but, 
since he might be a friend of Alice or Frank, it asks their security agents. 
Now, Alice’s SA checks locally if Tom is her friend, but some of her policies 
say that any friend of Bob or Frank is also her friend and therefore, it asks 
Bob’s and Frank’s SA. In parallel Frank’s SA evaluates its policies and 
produces a similar situation asking back Bob’s and Alice’s SA, and so on. As 
the reader can see, if not detected and handled appropriately, the evaluation 
of this request would never terminate (see figure 1), even if answers exist."

Hope that my comments do not diverge too much the focus of the mailing list 
but I would be really interested in bringing some new requirements to 
discussion and knowing about your opinion on them.

Best,

	D.

[1]  Lalana Kagal, Massimo Paoucci, Naveen Srinivasan, Grit Denker, Tim Finin, 
and Katia Sycara, "Authorization and Privacy for Semantic Web Services", IEEE 
Intelligent Systems (Special Issue on Semantic Web Services), 2004

[2]  Grit Denker, Lalana Kagal, Tim Finin, Katia Sycara, and Massimo Paoucci, 
"Security for DAML Web Services: Annotation and Matchmaking", 2nd 
International Semantic Web Conference (ISWC2003), September 2003

[3] Rita Gavriloaie, Wolfgang Nejdl, Daniel Olmedilla, Kent Seamons, Marianne 
Winslett
No Registration Needed: How to Use Declarative Policies and Negotiation to 
Access Sensitive Resources on the Semantic Web
1st European Semantic Web Symposium, May. 2004, Heraklion, Greece

[4] Piero A. Bonatti, Daniel Olmedilla
Driving and Monitoring Provisional Trust Negotiation with Metapolicies
IEEE 6th International Workshop on Policies for Distributed Systems and 
Networks (POLICY 2005), Jun. 2005, Stockholm, Sweden
-- 
     Daniel Olmedilla
     L3S Research Center and Hannover University
     Deutscher Pavillon
     Expo plaza 1
     D - 30539 Hannover

     Phone: +49 (0)511 762.9741 / +49 (0)511 7621.9767
     Fax:     +49 (0)511 762.9779 / +49 (0)511-7621.9712

     http://www.l3s.de/~olmedilla/
     E-Mail: olmedilla@l3s.de