D2.3 TAS3 Lower Common Ontology

December 2009 version (v1.1) of deliverable D2.3 (TAS3 Lower Common Ontology) is open to public comments, feedback and review !

All feedback welcome ! 

You could download it and publish comment from here:

http://www.tas3.eu/project/publications/download/wp2-framework-architecture-semantics/TAS3_D2p3_Lower_Common_Ontology_v1p1.pdf/view

(you need to login first to put a comment)

---

Executive Summary

The TAS3 (Trusted Architecture for Securely Shared Services) project aims to develop an open, secure and trusted architecture for the exchange of  personal information across services. As this data is generated over a human lifestyle, it needs to be collected and stored at distributed locations and used by a multitude of services. In the employability domain, for instance, a person is continuously learning new competences not only based on her education history, but also based on her employment experience. His or her employability information will therefore be stored with different service providers who each use their own technical specifications when processing information. In such a distributed environment, all partners in a Trust Network (TN) need to agree upon a common understanding for the technical underpinning of the services as well as a common vocabulary for the data in order to support secure data exchange.
Over the years, many languages have been developed to define security policies and privacy policies enabling secure access to personal information in distributed environment. For example, eXtensible Access Control Markup Language (XACML) is an access control policy language describing how to interpret authorization policies while exchanging data in service-oriented architecture.
More specifically, XACML provides a XML-based syntax enabling a Policy Decision Point (PDP) to determine whether a request to access a resource should be granted, and to return an answer to a Policy Enforcement Point (PEP), which allows or denies access to the resource. However, policy interoperability can only be achieved if every system expresses their policies in the same language. Furthermore, these languages do not cover the content of a security policy.
In this document, we present a security policy ontology based on the DOGMA (Developing Ontology-Grounded Methods and Applications) framework. In particular, we define conceptual models associated with authentication, credential validation, access control, obligation, privacy, delegation, and audit policies. More specifically, we represent security policies as a declarative model by defining a set of concepts and the relationships between them rather than describing the explicit sequence of steps required to apply them.
Given this ontology, PDPs can interoperate with each other by interpreting policy attributes and their values from the Service Requester to those of the Service Provider through annotations. This removes the impractical restriction on all PEP/PDP in a TN to use an identical vocabulary to describe the conceptual model of their respective security domains. For instance, the credentials of an employee in System A together with their ontological annotation can easily be evaluated by the PEP in System B. As a result, the PDP in System B can call on ontology-based interpretation and translation services to understand whether the presented credentials and their values are those required by System B or are equivalent to the conditions in its policies. Note that the concepts defined in this document draw upon those defined in the Descriptive Upper Ontology and the TAS3 Common Upper Ontology in Deliverable D2.2.