OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Comments on XACML Privacy Policy v1.0 profile

Hi Mohammad,

On 27/05/2014 3:50 AM, Mohammad Jafari wrote:

Now that we are in the process of public review, I wanted to share some comments that I have had on the privacy profile. I think the privacy profile can be updates to support much broader privacy policies.

Purpose constraints can take the following basic forms (there might be more complex/combined forms but let’s only consider the most common forms):

1. white list: a list of purposes that are allowed. Any other purposes will be denied.

2. black list: a list of prohibited purposes. Any other purpose will be allowed.

A black list doesn't sound safe to me. If new purposes are conceived after the
data are collected and/or consent obtained, then those new purposes are implicitly
allowed by black listing without explicit consent. Under white listing the new
purposes are implicitly disallowed.

These constraints can be combined with other authorization factors and form purpose-based policies. The following are the main categories for such policies. These can be combined to form more complex policies.

A.Action-centric: a purpose constraint on the action or action attributes: e.g.

"printing is only allowed for the purpose of treatment."

"research purpose is forbidden for remote actions."

B.Resource-centric: a purpose constraints on the use of a certain resource or a group of resources:  e.g.

"Alice's medical record must only be used for the purpose of treatment."

"Reproductive health data must not be used for the purpose of research."

C.Subject-centric: a purpose constraint on the subject or a group of subjects: e.g.

"The purpose of treatment is forbidden for members of the role 'admin'."

"Research staff can only assume the purpose of research."

D.Environment-centric: a purpose constraint on the environmental attributes: e.g.

"No action for the purpose of ‘product research’ is allowed on the sales department computers."

"The only purposes allowed outside business hours are telephone and email marketing."

The current profile only supports type 1.B.

I'm not so sure it even does that. The constraint "Alice's medical record must only
be used for the purpose of treatment" would translate into a resource:purpose
attribute for Alice's medical record that contained the value "treatment". The rule
in Section 4.1 would permit access (i.e., not deny access) if any value of the
action:purpose attribute was "treatment". If the action:purpose attribute contained
"treatment" and "research", then access would still be permitted (not denied),
incorrectly implying that Alice's medical record can also be used for research.

The reason for that error is the use of the any-of-any function in the condition.
Access is permitted if any action:purpose value matches any resource:purpose value,
regardless of the action:purpose values that don't match any resource:purpose
value. That's okay if the action:purpose attribute is single-valued, but I didn't
see that stated as an assumption. Where the action:purpose attribute is multi-valued
I think it should be the case that access is permitted (not denied) if *all*
action:purpose values are matched by at least one resource:purpose value. To that
end, the function should be any-of-all rather than any-of-any (or expressed using
the ForAll and ForAny expressions from the entities profile, which is perhaps
what Erik was alluding to in mentioning that profile).

My suggestions is that the attributes definitions be extended and remain normative while the standard rules section is made non-normative and extended to incorporate the above forms as different possible forms of purpose-based policies.

I agree that making the rule a MUST is overly restrictive. A SHOULD or
RECOMMENDED would be better.

It's not clear to me how some of these other forms would be appropriately expressed
as simple, illustrative rules. Take "the purpose of treatment is forbidden for
members of the role 'admin'", for example. That could be expressed in a deny rule,
but that would leave users with both the 'admin' and 'doctor' roles unable to
access any records for the purpose of "treatment" (of course I'm assuming doctors
are allowed to treat patients :-) ). Role entitlements are normally regarded as
additive, which is at odds with the way this constraint is expressed. The "research
staff can only assume the purpose of research" constraint has a similar problem.




Mohammad Jafari, Ph.D.

Security Architect, Edmond Scientific Company

*From:*xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] *On Behalf Of *Chet Ensign
*Sent:* Thursday, May 22, 2014 8:15 AM
*To:* xacml@lists.oasis-open.org
*Subject:* [xacml] Your Public Review for XACML Privacy Policy v1.0 has been announced

Members of the XACML TC,

Your 15 day public review for XACML v3.0 Privacy Policy Profile Version 1.0 has been announced. The review ends on 6 June 2014. You can find the announcement at https://www.oasis-open.org/news/announcements/15-day-public-review-for-xacml-v3-0-privacy-policy-profile-v1-0-ends-june-6th.

I have also posted an announcement to the OASIS and XACML LinkedIn groups, Twitter and the OASIS FaceBook page. Feel free to like/comment/retweet these announcements to spread the word.

Please consider forwarding these announcement on to other parties who may be interested in the work. In my experience, TCs that actively solicit outside review get more and better quality feedback on their specifications.

Also, please keep in mind the OASIS requirements for handling comments [1]. Non-TC member feedback can only be submitted to the TC's comment list xacml-comment@lists.oasis-open.org <mailto:xacml-comment@lists.oasis-open.org>. The TC must have someone subscribed to this mail list to monitor comments. All submitted comments must be acknowledged by the TC. In addition, the TC needs to maintain a log of comments received and their resolutions. The comment resolution log will need to be available when you begin your next public review. A simple comment resolution log template is available in OpenDocument [2] and Office [3] format.

Let me know if you have any questions regarding the review or next steps.

=== Additional references:

[1] https://www.oasis-open.org/resources/tcadmin/handling-the-comments-received-during-a-public-review

[2] https://www.oasis-open.org/sites/www.oasis-open.org/files/Simple-comment-resolution-log-template_0.ods

[3] https://www.oasis-open.org/sites/www.oasis-open.org/files/Simple-comment-resolution-log-template_0.xls


Chet Ensign
Director of Standards Development and TC Administration
OASIS: Advancing open standards for the information society

Primary: +1 973-996-2298
Mobile: +1 201-341-1393

Check your work using the Support Request Submission Checklist at http://www.oasis-open.org/committees/download.php/47248/tc-admin-submission-checklist.html

TC Administration information and support is available at http://www.oasis-open.org/resources/tcadmin

Follow OASIS on:
LinkedIn: http://linkd.in/OASISopen
Twitter: http://twitter.com/OASISopen
Facebook: http://facebook.com/oasis.open

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]