1、 ETSI GS INS 005 V1.1.1 (2011-03)Group Specification Identity and access management for Networks and Services;Requirements of an Enforcement Frameworkin a Distributed EnvironmentDisclaimer This document has been produced and approved by the Identity and Access Management for Networks and Services (E
2、TSI INS) ETSI Industry Specification Group (ISG) and represents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. ETSI ETSI GS INS 005 V1.1.1 (2011-03)2Reference DGS/INS-005 Keywords authorization, enforcement ETSI 650
3、 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downlo
4、aded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference
5、shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is av
6、ailable at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. Th
7、e copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2011. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTM, TIPHONTM, the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM
8、 is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. LTE is a Trade Mark of ETSI currently being registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the
9、GSM Association. ETSI ETSI GS INS 005 V1.1.1 (2011-03)3Contents Intellectual Property Rights 4g3Foreword . 4g3Introduction 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 5g33 Definitions and abbreviations . 6g33.1 Definitions 6g33.2 Abbreviations . 6g34 Curren
10、t Landscape 7g34.1 eXtensible Access Control Markup Language (XACML) . 7g34.2 Enterprise Privacy Authorization Language (EPAL) . 7g34.3 Sticky Policies 7g34.4 Microsoft Security Policy Assertion Language 8g35 Application Scenarios. 8g35.1 support for the specification and enforcement of privacy obli
11、gation in clouds . 8g35.2 Location Based Service in Enterprise Environment . 9g35.2.1 Description 9g35.2.2 Actors 10g35.2.2.1 Actors specific Issues 10g35.2.2.2 Actors specific Benefits 10g35.2.3 Pre-Conditions 11g35.2.4 Post-Conditions. 11g35.3 Online Social Network Site 11g35.3.1 Description 11g35
12、.3.2 Actors 11g35.3.3 Actors specific Issues 11g35.3.4 Actors specific Benefits 12g35.3.5 Pre-Conditions 12g35.3.6 Post-Conditions. 12g35.4 Specification of enforcement location 13g35.5 Dynamic obligation specification . 13g36 Requirements 14g36.1 General Distributed Enforcement Framework Requiremen
13、ts 14g36.2 Enforcement Point requirements 16g36.3 Management Requirements 16g36.4 Obligation Requirements 16g36.5 Distributed Decision Point requirements 17g37 Conclusion 17g3Annex A (informative): Authors Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, whic
14、h is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not
15、 referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Group Specification (GS) has been produced by ETSI Industry Specification (ISG) Identity and access management for Networks and Services (INS).
16、 Introduction Enforcing authorization decisions in a distributed environment is a challenging task compared to traditional services. The entity directly controlling and enforcing, the access to the resources may be organizational or physically separated from the entity providing the decision. In a c
17、loud environment multiple entities might control the authorization for a particular activity. In addition to the enforcement of the pure access decision a set of obligations may have to be enforced. Another approach is to attach the access policy directly to the data and ensure that it is always enf
18、orced. In a distributed environment these approaches require not only a trust relationship between the enforcement and decisions points on the one hand and entities passing data with attached policies on the other hand, it also has to be ensured that decisions and obligations has well as the attache
19、d policies are syntactically and semantically understood in the same way at all involved entities. While the use cases and resulting requirements of distributed access control has been previously addressed i.1 is focusing more on the decision process, the present document considers the distributed e
20、nforcement of these decisions and the related obligations, which are used to protect the data in general, ensure the privacy of the user, or provides flexible auditing of the access requests. If multiple entities are involved in the decision process their obligations have to be enforced as well. The
21、 present document will also illustrate that for a distributed environment to location of the enforcement is an important aspect. As different entities are involved the obligations utilized in the authorization process have to be specified in a dynamic manner. After providing the relevant references
22、and defining the used terminology an overview of the current landscape on distributed enforcement environment is given. The main contribution of the present document is a set of application scenarios illustrating various aspects of distributed enforcement environments which are not yet considered or
23、 addressed by other standardization activities. These application scenarios are also used to illustrated requirements related to distributed enforcement environments, which are finally presented in the present document. ETSI ETSI GS INS 005 V1.1.1 (2011-03)51 Scope The present document will provide
24、the requirements on distributed enforcement environments, taking into account attached policies as well as frameworks with dedicated enforcement and decision points. The requirements of the decision making process has been covered in i.1. The present document will not only deal with the requirements
25、 of the architecture and the information carried in the decision, but will take into account the requirements regarding specification of the obligations exchanged. It is assumed that the different entities especially those described as policy enforcement points (PEP) and policy decision points (PDP)
26、 have a mutual trust relationship, on which they rely on with respect to decision being made and enforced accordingly. The basis of these trust relationships could be based on legal agreement and/or unforgeable audit trails. 2 References References are either specific (identified by date of publicat
27、ion and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in th
28、e expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the applicatio
29、n of the present document. Not applicable. 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ETSI GS INS 002 (V1.1.1) “Identity and Access Management for N
30、etworks and Services Distributed Access Control for Telecommunications Use Cases and Requirements“. i.2 OASIS (2.0 edition, 1 February 2005): “eXtensible Access Control Markup Language (XACML)“. i.3 OASIS (3.0 edition, 10 August 2010): “eXtensible Access Control Markup Language (XACML)“, Committee S
31、pecification 01. i.4 OASIS XACML (v3.0, 28 December 2007): “Obligation Families Version 1.0“, Working draft 3. i.5 IBM: “Enterprise Privacy Authorization Language (EPAL), Version 1.2“, Submission to W3C, 2003. i.6 W3C Recommendation W3C PLING (16 April 2002): “The Platform for Privacy Preferences 1.
32、0 (P3P1.0) Specification“. i.7 Anne H. Anderson: “A comparison of two privacy policy languages: EPAL and XACML“ In Proceedings of the 3rd ACM workshop on Secure web services (SWS 06). ACM, New York, NY, USA, 53-60. ETSI ETSI GS INS 005 V1.1.1 (2011-03)6i.8 G. Karjoth, M. Schunter, M. Waidner: “Platf
33、orm for Enterprise Privacy Practices: Privacy- enabled Management of Customer Data“, 2nd Workshop on Privacy Enhancing Technologies, Lecture Notes in Computer Science, Springer Verlag - 2002G. i.9 Marco Casassa Mont, Siani Pearson, Pete Bramhall: “Towards Accountable Management of Identity and Priva
34、cy: Sticky Policies and Enforceable Tracing Services,“ Database and Expert Systems Applications, International Workshop on, p. 377, 14th International Workshop on Database and Expert Systems Applications (DEXA03), 2003. i.10 M. Y. Becker, C. Fournet and A. D. Gordon: “Design and semantics of a decen
35、tralized authorization language“. In IEEE Computer Security Foundations Symposium, pages 3-15, 2007. i.11 M. Y. Becker, A. Malkis and L. Bussard: “A framework for privacy preferences and data-handling policies“. Technical Report MSR-TR-2009-128, Microsoft Research, 2009. 3 Definitions and abbreviati
36、ons 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: obligation: operation specified in conjunction with a policy, either by the data owner or other relevant entities, and should be enforced as part of a policy decision NOTE: Obligations may be tri
37、ggered by timing constraints, by policy violations, or by event notifications from other entities. associated/sticky policies: policies associated with obfuscated user data and sent around with this data, determining the relevant disclosure constraints NOTE: Sticky policies are usually specified as
38、the results of an automated matching between users wishes and service providers promises with regard to data handling. They contain the authorization rules and obligations that the PEP is obliged to enforce. 3.2 Abbreviations For the purposes of the present document, the following abbreviations appl
39、y: EPAL Enterprise Privacy Authorization Language IdM Identity ManagementIdP Identity Provider LBS Location Based Service MNO Mobile Network Operator MSNS Mobile Social Network Site PAP Policy Administration Point PDP Policy Decision Point PEP Policy Enforcement Point SaaS Software as a Service SecP
40、AL Security Policy Assertion Language TA Tracing Authority XACML eXtensible Access Control Markup Language ETSI ETSI GS INS 005 V1.1.1 (2011-03)74 Current Landscape 4.1 eXtensible Access Control Markup Language (XACML) During the recent years OASIS XACML 2.0 i.2 has become the recognized standard fo
41、r the specification of access control policies as well as a generic framework for access control. The policy enforcement point (PEP) sends access requests, which are evaluated at a policy decision point (PDP). In addition to the results which indicate whether the access should be granted or denied,
42、a list of obligations, which have been specified in conjunction with the evaluated policies and policy sets, may be sent back to the PEP. The PEP is responsible for decoding and enforcing these obligations. While for access privileges the policy language is flexible, the handling of obligations is q
43、uite limited. From a language point of view a general syntax is specified encoding the name of an obligation and its arbitrary list of attributes, which are fixed values or as of 3.0 i.3 variables. The OASIS XACML standard i.2 assumes that the PEP recognizes the obligations returned by the PDP upon
44、on access request and knows how to implement them correctly. If the PEP does not recognize the obligation, the request is denied according to the specification. In XACML 3.0 i.3 different types of PEPs are specified, but the general assumption is that the PEP understands the obligations and is able
45、to enforce them. In addition to obligations a new element called advice has been introduced in version XACML 3.0 i.3, these advices are like obligations specified in conjunction with policies or policy sets and provided by the PDP to the PEP as part of the decision. In contrast to obligations advice
46、s may be safely ignored by the PEP. There has been work i.4 regarding the timing constraints on enforcing the obligation and fall-backs in case of errors during the obligation execution. 4.2 Enterprise Privacy Authorization Language (EPAL) The Enterprise Privacy Authorization Language (EPAL) is a fo
47、rmal language to express fine-grained enterprise privacy policies, submitted to the W3C consortium i.5. The key aspect of EPAL is to provide a detailed description of high-level privacy policies such as W3C P3P i.6. EPAL defines policy which contains a general information element describing the poli
48、cy, a set of vocabulary which may be used inside the policy and conditions on their usage acting as a global pre-condition, together which rules which define the actual authorization of the policy. Parameterized obligations could be associated to rules specifying actions which should be executed to
49、ensure the privacy of the user data. The actual syntax or semantic of obligations is not specified. It has shown has been shown in i.7 that EPAL policy and rules provides a subset of the functionality that can be provided by XACML i.2. 4.3 Sticky Policies In i.8, sticky policies are defined as a paradigm that allows users to strictly associate policies to identity data, to drive access control decisions and privacy enforcement. When using sticky policies, data is sent obfuscated from the user to the data consumer (usually a
