The Policy-Aware Web: Privacy and Transparency on the Semantic Web

mindswapmaryland information and network dynamics lab semantic web agents project

The Policy-Aware Web: Privacy and Transparency on the

Semantic WebJim Hendler

[email protected]

http://www.cs.umd.edu/~hendler

2004 NSF National Priorities ITR to UMCP and MIT (Hendler, Berners-Lee, Weitzner- PIs)


Access and Privacy Control


As we publish more info- how do we control access …

Who can see What??


Current Policy Languages• A number of languages being explored:

– P3P (data-centric relational semantics -> relational database)– WS-Policy (propositional, and & or, but weak not)– Features and Properties (no operators, easier to map to RDF)

• Combinators (choose one/all, similar to WS-Policy)– KaOS Policy and Domain Services– WSPL and EPAL (subsets of XACMLs)– XACML (and, or, not, first and higher order bag functions)– Rei (OWL-Lite + logic-like variables)

• A lot of ambiguity about exact expressivity and computational properties (or even the semantics!)


An example: WS-Policy• WS-Policy provides a flexible grammar for

expressing C&C of web services– Normalized form (maybe to do non normalized)

• Two translation approaches:– Policies as Instances

• Readable, but hard to capture semantics• Available at:

http://mindswap.org/dav/ontologies/ws-policy_instance.owl

– Policies as Classes• Translate WS-Policy constructs into OWL constructs• E.g., wsp:All --> owl:intersectionOf


WS-Policy Example<wsp:Policy>

<wsp:ExactlyOne> <wsp:All>

<wsse:SecurityToken> <wsse:TokenType>wsse:Kerberosv5TGT</wsse:TokenType>

</wsse:SecurityToken> </wsp:All> <wsp:All>

<wsse:SecurityToken> <wsse:TokenType>wsse:X509v3</wsse:TokenType>

</wsse:SecurityToken> </wsp:All><wsp:All>

<wsse:SecurityToken> <wsse:TokenType>wsse:UserNameToken</wsse:TokenType>

</wsse:SecurityToken> </wsp:All>

</wsp:ExactlyOne> </wsp:Policy>


Mapping WS-Policy to OWL• “all” is easy: it’s logical conjuction (i.e., intersectionOf)• “exactlyOne” is harder, two readings:

– Older version: “oneOrMore”• Inclusive OR, maps to owl:unionOf

– “exactlyOne” suggests XOR• Have to map to a disjunction of conjunctions• Quadratic increase in size of disjuncts

– Ontology: http://www.mindswap.org/dav/ontologies/policytest.owl


Example• @prefix owl: <http://www.w3.org/2002/07/owl#> .

@prefix policytest: <http://www.mindswap.org/~kolovski/policytest.owl#> .

policytest:TestPolicy a owl:Class; owl:intersectionOf ( owl:unionOf ( policytest:SecurityTokenTypeUsernameToken policytest:SecurityTokenTypeX509 policytest:SecurityTokenTypeKerberos ) owl:complementOf owl:unionOf ( owl:intersectionOf ( policytest:SecurityTokenTypeUsernameToken policytest:SecurityTokenTypeX509 ) owl:intersectionOf ( policytest:SecurityTokenTypeUsernameToken policytest:SecurityTokenTypeKerberos ) owl:intersectionOf ( policytest:SecurityTokenTypeX509 policytest:SecurityTokenTypeKerberos ) ) ) .


Use OWL tools


Policy Aware WEB

(NSF ITR; Hendler, Berners-Lee, Weitzner; 2005)


PAW demo…

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.


Web Server

Content

Use case:A Web browser requests the home page for a girl scout troop and is given it by a Web server.

Demo


Web Server

Content

However, requests for images result in HTTP Error 401, “Unauthorized”

401

401


The 401 “Unauthorized” response has been modified to provide a URL to a policy:

HTTP/1.1 401 Not authorized Date: Sat, 03 Dec 2005 15:32:18 GMT Server: TwistedWeb/2.0.1 Policy: http://groups.csail.mit.edu/dig/2005/09/rein/examples/troop42-policy.n3 Content-type: text/html; charset=UTF-8 Connection: close10:32:20 ERROR 401: Not authorized.

Demo


{ REQ a rein:Request. REQ rein:resource PHOTO. ?F a TroopStuff; log:includes { PHOTO a t:Photo; t:location LOC. LOC a t:Meeting }.

REQ rein:requester WHO. WHO session:secret ?S. ?S crypto:md5 TXT.

?F a TroopStuff; log:includes { [] t:member [ is foaf:maker of PG ]. LOC t:attendee [ is foaf:maker of PG ] }. PG log:semantics [ log:includes { PG foaf:maker [ session:hexdigest TXT ] } ].

} => { WHO http:can-get PHOTO }.

• Example policies– Photos taken at meetings of

the troop can be shared with any current member of the troop.

– Photos taken at a jamboree can be shared with anyone in the troop or with anyone who attended the jamboree.

– Photos of any girl in the troop can be shared with the world if that girl's parent has given permission

Policies use linked rules


Rein "ontology"

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.


Rein example{ <http://dig.csail.mit.edu/2005/09/rein/examples/troop42.rdf> log:semantics ?F } => { ?F a TroopStuff }.

# Photos take at meetings of the troop can be shared with any # current member of the troop{ REQ a rein:Request. REQ rein:resource PHOTO. ?F a TroopStuff; log:includes { PHOTO a t:Photo; t:location LOC. LOC a t:Meeting }.


?F a TroopStuff; log:includes { [] t:member [ is foaf:maker of PG ]. LOC t:attendee [ is foaf:maker of PG ] }. PG log:semantics [ log:includes { PG foaf:maker [ session:hexdigest TXT ] } ].


# Photos taken at a jamboree can be shared with anyone in the # troop or with anyone who attended the jamboree.

# (i) anyone who is in the troop{ REQ a rein:Request. REQ rein:resource PHOTO. ?F a TroopStuff; log:includes

{ PHOTO a t:Photo; t:location LOC. LOC a t:Jamboree }.


?F a TroopStuff; log:includes { [] t:member [ is foaf:maker of PG ]. }. PG log:semantics [ log:includes { PG foaf:maker [ session:hexdigest TXT ] } ].


# (ii) anyone who attended the jamboree{ REQ a rein:Request. REQ rein:resource PHOTO. ?F a TroopStuff; log:includes

{ PHOTO a t:Photo; t:location LOC. LOC a t:Jamboree }.


?F a TroopStuff; log:includes { LOC t:attendee [ is foaf:maker of PG ]. }. PG log:semantics [ log:includes { PG foaf:maker [ session:hexdigest TXT ] } ].


The RDF/XML syntax is even worse: Authorability/Editability are important

issues Specialized use (cf. Creative Commons)

a partial out.


Web Server

Use of the PAW proof-generation proxy results in a proof which satisfies the policy:

Third-party services may be consulted to help construct the proof.

Proof

Demo


The proxy:

1. Uses Rein, a policy engine, to specify rules which match a given policy.

2. The Rein rules are run in Cwm, a forward-chaining reasoner for the Semantic Web. This generates a proof.

3. Proof is HTTP-PUT on the server, and a HTTP-GET on same document is then invoked (requires HTTP 1.1)

Demo


Web Server

Content

The Web server checks the proof and serves the content if it is valid.

Demo


The server:

1. Uses Cwm to validate the proof.2. Takes action based on validation (serves content or

denies).

Demo


Current demo work:

1. Get it working - Fix cwm proof generation (log:supports?)

2. Make use of multiple distributed authentication systems (instead of holding secrets in the proxy).

3. Associate content with RDF metadata and base policy decisions on the RDF (cf. policy 3)

4. Address issues of eventual integration of the proxy with a Web browser (e.g. cookie storage).

5. Extend system to "distributed" scenarios (different authorities hold parts of policy, may have own rules on access)

Demo


Open, Distributed Rules Challenges• Common Notation

– "Small matter of standardization"• N3, SWRL, RuleML

• Identity vs. privacy– How do you identify yourself w/o violating the very privacy

concerns we hope to address?• Current identity schemes are centralized and universal• Can we do a distributed ID model (maybe email based)?

• Inconsistency– In logic "P ^ -P => Q"

• On Web it better not! (Supported(Bush) ^ --Supported(Bush)) => you owe me $1000

• Can we use a "non-standard" logic solution?


Another Cool thing…• What is a rule of logic?

– In traditional philosophy it relates to "Truth"• What is truth on the Web?

– Ex: How many cows are in Texas?

– On the Web, we could use an idea of agreed upon rules, grounded at URI

• Social definition of truth via shared contexts– Ex: Because Mom said so…


Conclusions• Information lives in specific contexts

– The Semantic Web helps us place information into these (multiple) contexts.

• Control of information requires control of contexts– Explication of policies

• Linked in a Web-like way

– Integrated directly into the Web• With extensions for rules and proofs

– Is really hard• Issues of identity, inconsistency, grouding, change over time

– But holds great potential• Personal Control of your information spaces

• "Policy-Aware" Web project (joint between UMCP and MIT)– Goal: make this real!

http://www.mindswap.org/~hendler/2004/PAW.html


backup


Truth on Web Pages [based on Heflin etal, 1998]

• Inference rules could be used to determine the credibility of claims – I might believe the claims made by a reliable Newspaper

• Trustable(x) :- x; reliableNewspaper.

– And I could establish the Washington Post as reliable...• i.e. I assert:

http://www.washingtonpost.com owl:class reliableNewspaper.

– or if I infer it• ReliableNewspaper(X) :->

X owl:class ReliableNewspaper;http://MediaWatchList.• (?) reliableNewspaper(X) :-

X owl:class ReliableNewspaper; src ^ trusted(src).

• The rules are "grounded" in a testable way– cf. If I can HTTP-get the fact, then it is asserted


Rule Sets could be shared

• You can ground your sources– X :- X; src ^ src owl:class TrustedSource; http://…/myMomSet.rdf

• Or infer trusted sources based on other rule sets– X :- X; src ^ src owl:class TrustedSource; http://ex.com/RushLimbaughSet.rdf

– X :- X; src ^ src owl:class TrustedSource; http://ex.com/UnabomberRules.rdf

^ --( X;http://www.rushLimbaugh.com/truths.rdf)


Annotated Logic(in 25 words or less)

• Traditional LogicP & -P => Q (P and -P are inconsistent)

• Annotated Logic– P;X & -P;Y are not inconsistent – P;X & -P;X => Q;X but not Q;Y – P;X & -(P;X) is inconsistent and must be

avoided (but this is easily checked if inference of RHS is restricted)


On the Web

• Annotations represent document contextsX;Y and -(X;Y) cannot co-occur

(unless Web is broken)(modulo temporal change, but that's another talk)

<foaf:Person> <foaf:name>Jim Hendler</foaf:name> <foaf:title>Dr</foaf:title> <foaf:firstName>Jim</foaf:firstName> <foaf:surname>Hendler</foaf:surname> <foaf:mbox_sha1sum> be972c7a602683f7cf3c7a1fd0949c565debe4d3 </foaf:mbox_sha1sum> <foaf:homepage rdf:resource="http://www.cs.umd.edu/~hendler"/> <foaf:depiction rdf:resource="http://www.semanticgrid.org/q-iantbljim.jpg"/> <foaf:workplaceHomepage rdf:resource="http://owl.mindswap.org"/></foaf:Person>http://www.cs.umd.edu/~hendler/2003/foaf.rdf

==<foaf:name>Jim Hendler</foaf:name> ; http://www.cs.umd.edu/~hendler/2003/foaf.rdf


"Because it's there…"

The Policy-Aware Web: Privacy and Transparency on the Semantic Web

Documents

Transcript of The Policy-Aware Web: Privacy and Transparency on the Semantic Web