Information Security Technical Report (2005) 10,51e58

Security in the Semantic Web using OWL

Grit Denker a,*, Lalana Kagal b, Tim Finin b a SRI International, Computer Science Laboratory, 333 Ravenswood Ave, Menlo Park, CA 94025, United States b University of Maryland, Baltimore County, Computer Science and Electrical Engineering, 1000 Hilltop Circle, Baltimore, MD21250, United States

Abstract Information assurance, security, and privacy have moved from narrow topics of interest to information system designers to become critical issues of fundamental importance to society. This opens up new requirements and opportunities for novel approaches. Meeting this challenge requires to advance the theory and practice of security, privacy, and trust of Web-based applications and to provide declarative policy representation languages and ontologies together with algorithms to reason about policies. This paper summarizes an ontological approach to enhancing the Semantic Web with security. Ó 2005 Elsevier Ltd. All rights reserved.

Introduction allow interoperability. In the Semantic Web (SW), a Web resource’s metadata makes it possible to Although today’s Internet is a vast information evaluate its appropriateness for a given query, resource, its lack of structure and metadata makes which in turn will lead to greater efficiency of Web it difficult to extract desired information in a rea- resource allocation, despite the daily expansion of sonable time. The Semantic Web (Berners-Lee Web space. et al., 2001) is a vision of a future Internet in Berners-Lee (2000) outlines the architecture of which Web resources are enriched with machine- the Semantic Web as given in Fig. 1. The layers processable metadata that describes their mean- Unicode, URI, and XML, Namespace, and XML ing. This will enable computers to interpret and Schema represent current Web technology. RDF extract Web content much more effectively and and RDF Schema are languages for the description precisely than today’s XML-based approaches to of resources and their types, and thus are basic building blocks for the SW. Above the RDF layer is ontology vocabulary. Ontologies that describe * Tel.: C1 650 859 6058; fax: C1 650 859 2844. classes or types of things and their relationships E-mail address: [email protected] (G. Denker). form the basis for knowledge representation of

1363-4127/$ - see front matter Ó 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.istr.2004.11.002 52 G. Denker et al.

information about WWW resources. RDF is based on the idea of using Uniform Resource Identifiers (URIs) to identify Web resources in terms of simple properties and property value (Manola and Miller, 2003). URIs can identify things that do not neces- sarily have network locations or URLs. RDF pro- vides a simple way to make a statement about Web resources based on the RDF triple model. The model contains subject, predicate and object, which correspond to resource, property and value, respectively. The following example taken from Manola and Miller (2003) illustrates the triple model: consider the statement ‘‘http:// Figure 1 Semantic Web stack. www.csl.sri.com/users/denker/index.html is cre- ated by Grit Denker’’. The RDF parts for the statement are: the subject (resource) is the URL, data. The next layer is logic where new knowledge the predicate (property) is the phrase ‘‘created- is generated from existing assertions on the Web by by’’ and the object (value) is the name ‘‘Grit using knowledge representation rules. Finally, the Denker’’. last two layers, and as of yet least developed, are Because of its capability for describing the proof and trust. Security issues span all the upper semantics of data, RDF allows greater resource five layers, and digital signatures and encryption discovery capability and more meaningful content are the current state-of-the-art technologies for description. handling security, although these technologies do The Web Ontology Language (OWL) (Web Ontol- not make use of semantic information. ogy Working Group; Costello and Jacobs, 2003)is Given the increased importance of the World a W3C markup language recommendation for the Wide Web (WWW) for business, industry, finance, Web. Because OWL is based on RDF, the purpose of education, government and other sectors, security OWL is somewhat similar to RDF. OWL extends RDF will play a vital role in the success of the Semantic schema and is taking a further step in providing Web. Semantic annotations concerning security a richer vocabulary to express complex relation- aspects of Web resources, Web-based applica- ships and to enhance inference capabilities. Great- tions, or Web services add value to the Semantic er degree of inference creates smarter search Web when these markups are used in connection capabilities, service discovery, and content repre- with inference systems that support decision pro- sentation. OWL is an ontology language that can be cesses such as deciding who has access to what used to describe the meaning of terminology used resource or selecting services with respect to given in Web documents. OWL supports class definition security constraints. and subclassing (inheritance), property definition The remainder of this paper is organized as and property hierarchies (including inheritance of follows. In next section we briefly introduce RDF domain or range definitions), cardinality restric- and OWL. Then, on this basis, we illustrate how tions, value restrictions on properties, boolean security and trust can be formalized in OWL and class expressions (e.g., union, intersection) and demonstrate reasoning capabilities of a semantic many more concepts. OWL is separated into three approach to security for the Web. As Web services sublanguages (McGuiness and van Harmelen, have gained a lot of momentum in the World Wide 2003)dOWL Lite, OWL DL, and OWL Fulldwith d Web, Semantic Web services the equivalent for increasing expressiveness. d the Semantic Web are also becoming more im- Instead of going into detail about OWL language portant. Further, we address security and policies concepts, we will illustrate the use of the language for SWSs. We close with a brief summary and point in the context of security ontologies in the follow- out challenges for future work in the last section. ing section.

A (very) brief introduction to Security in OWL RDF and OWL Web resources and services need to be protected RDF (Resource Description Framework) (Lassila from unauthorized access and software agents and Swick, 1999) is a language for representing accessing online resources on behalf of a user Security in the Semantic Web using OWL 53 want to be ensured about the privacy of data they approach like we take in this paper is a possible disclose to services. Thus, a broad range of solution. Our work is not intended to replace the security-related notions, such as authentication, existing standardization efforts; rather, we pro- authorization, access control, confidentiality, data pose it as a semantic layer on top of the syntac- integrity, and privacy are relevant for SW technol- tically oriented standardization. ogy. Currently, low-level encryption, digital signa- For privacy issues, the P3P 1.0 Specification ture mechanisms, certification, and public key (Cranor et al., 2002), a W3C recommendation, is infrastructures provide a good security infrastruc- the current standard. P3P is targeted toward ture for Web-based interactions. However, pro- controlling how personal information is used on viding higher-level security, especially without Web sites that one visits. Web sites publish their prior trust relations in dynamic interactions, relies data-handling practices in XML which can then be on a variety of ad hoc mechanisms. This hetero- matched against client requirements published in geneity of mechanisms leaves security holes with APPEL (W3C: APPEL, W3C working draft). Recent deleterious effects. The proposed industrial stand- work on P3P (W3C: Handling privacy in WSDL 2.0) ards on security assume a well-established Web of discusses the extension of P3P toward Web serv- trust among business-to-business (B2B) partners. ices. For instance, the granularity of the P3P For example, there exists a significant body of published policy is limited to a URI reference standardization efforts for security of XML-based (e.g., an html page). P3P 1.0 is not capable of Web services, such as WS-security (Atkinson et al., specifying at the level of individual fields in a form, 2002), -trust (Della-Libera et al., 2003), and which has implications for its use in XForms and -policy (Box et al., 2003) at W3C, or SAML of the Web services. However, this extension caters to OASIS Security Services Technical Committee, and privacy protection of only the requester of serv- the Security Specifications of the Liberty Alliance ices, whereas privacy is of concern to both the Project. WS-Security provides a layer of security requester and the provider. over SOAP, which is an XML-based protocol for While P3P is concerned with privacy protection exchanging information primarily used for Web issues for Web users, EPAL 1.1 (IBM: EPAL 1.1) services. WS-Security describes how to attach specifies enterprise-level policies for data objects signature and encryption headers or security to- in the enterprise. EPAL can be thought of as kens to SOAP messages. WS-Policy enables Web a policy language that specifies rules for enforcing services to specify policies in terms of their privacy practices promised by a Web site (e.g., capabilities, requirements, and other character- through P3P or plain text privacy policy). Enforce- istics. WS-Trust describes how existing direct trust ment mechanisms for EPAL-specified rules are relationships may be used as the basis for broker- outside the scope of EPAL. ing trust through the creation of security token The above-mentioned frameworks all provide issuance services. a limited amount of extension to the base data The standards support low-level security or schema that allows addition of domain-specific policy markups that concern formats of credentials information (e.g., P3P extension mechanism). We or supported character sets for encoding. They do believe that our approach of using policy languages not address semantic user- or application-specific and ontologies allows the inclusion of domain- trust tokens and their relations, nor do they allow specific ontologies in a much cleaner way and for expressive policies. The standards deliver to provides the mechanism for inferring relationships the needs of B2B applications where trusted between concepts. Also, such policy languages and partners and business relationships have already ontologies allow privacy policies to be described been established in advance of operation and declaratively over the environment of both the transactions. However, in a world where more requester and the provider in terms of domain and more public and private services are becoming ontologies. available online and the vision of cyber-societies is Our approach is to provide a methodical, onto- becoming reality, assumptions about pre-estab- logical approach to security markup that proves lished trust relationships do not hold true. The useful in clarifying which are the high-level secu- standards are not extensible to more dynamic rity concepts and how they are related to each environments in which simple authentication is other. We therefore propose security ontologies in not enough, but authentication on user-defined OWL that provide a means for defining security attributes needs to be considered, as ‘‘foreign’’ or aspects of Web resources (Denker et al., Security unknown entities will interoperate with each other for DAML Web services). across heterogeneous domains and applications One of our high-level security ontologies sum- using delegation mechanisms. For this, a semantic marizes various ways in which authentication using 54 G. Denker et al. credentials can take place. Authentication is often SimpleCredential used as a method to decide access requests. Authentication is based on some token, also called name String credential, that the requesting party would know Login Certificate assoc passphrase CertificateData or have. Typical credentials are name-passphrase LoginWithPassphrase X509Certificate login, and public and private keys or certificates. owl:Restriction XMLSignatureX509Certificate We distinguish between ‘‘SimpleCredential’’ onProperty/minCardinality and ‘‘ComposedCredential’’. The top-level class assoc owl:Property daml:Restriction ‘‘SimpleCredential’’ (see Fig. 2) is subclassed to onProperty/toClass XMLSignatureX509Data ‘‘Cookie, Login, Key, Certificate, BioMetric’’, and ‘‘OneTimePassword’’ (subclass relationships are Figure 3 A credential ontology (some properties). depicted using dotted arrows). All subclasses are pairwise disjoint. ‘‘Public Key’’ and ‘‘Symmetric ‘‘XML-DSIG’’ is an instance of the signature class Key’’ are disjoint subclasses of the key class. The and ‘‘OpenPGP-Enc’’ is of type ‘‘Encryption’’. certificate class is specialized to ‘‘X509Certifi- Specific protocols such as ‘‘X-KRSS, X-KISS, Ker- cate’’, and further to the specific class of X509 beros’’, or ‘‘SOAP’’ are defined as instances of the certificates in the XML Signature (Bartel et al., appropriate protocol subclasses that satisfy cer- 2001). tain restrictions. Fig. 2 depicts only classes and their inheritance The security ontology summarizes at a very high relationships. Properties and other restrictions are abstraction level many of the commonly used defined in the ontologies as well. For example, the security-related notations. Such notations can be LoginWithPassphrase class has two datatype prop- used to describe user, agent, or service security erties defined as ‘‘loginName’’ and ‘‘passphrase’’, policies. both of type string (see Fig. 3). We are using the The ontologies are not only useful for descrip- OWL ‘‘restriction’’ concept to express that the tion of Web resources, but they also provide a basis cardinality on these properties for the login class is for reasoning. For example, we used the concept constrained to one. That means each LoginWith- of OWL restrictions to define certain security Passphrase credential has exactly one name and characteristics. A restriction class in OWL con- one passphrase. strains the range of an object property. For Abstracting further from credentials, we can example, a restriction on the property ‘‘relSecNo- specify general security notations as shown in tation’’ yields an ‘‘AuthenticationSubClass’’, that Fig. 4. Several properties are defined for the top is, a class that has as one of its related security class ‘‘SecurityMechanism’’. For example, the notations ‘‘Authentication’’. Thus, if a Web re- ontology defines an object property ‘‘syntax’’ that source has the authentication class as one of its has the class ‘‘Syntax’’ as range, another property requirement, the resource requires the user to ‘‘relSecNotation’’ has the class ‘‘SecurityNota- authenticate. This information can be used in tion’’ as range, and ‘‘reqCredential’’ has the reasoning about whether a user’s preferences credential class as range. There are various in- match the resource’s requirements. Consider, for stances for the defined classes. For example, example, a user who is interested in finding instances of syntax are ‘‘ASCII, OWL, RDF, XML, information about his hobby, but is not willing to MIME’’; security notations are ‘‘Authentication, sign up to yet another online service. This user Authorization, AccessControl, DataIntegrity, Con- would not be interested in a Web service that fidentiality, Privacy, ExposureControl, Anonymity, requires all users to sign in for authentication Negotiation, Policy, KeyDistribution’’; and ‘‘X.509’’ is an instance of the KeyFormat class.

Syntax SecurityMechanism KeyFormat

SimpleCredential Cookie OneTimePassword Signature Encryption Protocol SecurityNotation

Login Key Certificate BioMetric KeyProtocol DataTransferProtocol

LoginWithPassphrase PublicKey SymmetricKey X509Certificate Voice Fingerprint KeyRegistrationProtocol KeyInformationProtocol XMLSignatureX509Certificate owl:subClassOf subclasses are pairwise disjoint KeyDistributionProtocol

Figure 2 A credential ontology. Figure 4 A security ontology. Security in the Semantic Web using OWL 55 purposes. A software agent for that user, equipped OWL services). OWL-S and other related work may with the policies of ‘‘not using services that be viewed as efforts to lay the foundations for the require authentication’’, could upon finding most effective evolution of Web-service-related a Web service, read its metadata and, employing capabilities that can be supported with current Semantic Web reasoning techniques, decides and maturing technologies. At the same time, our whether the service adheres to the user’s policies. goal is to promote the rapid adoption of semanti- cally expressive technologies that are already well understood, and there is much that can be done in the near term. Therefore, mechanisms are avail- Security for Semantic Web services able by which OWL-S can be used along with the dominant Web services standards, such as WSDL. An increasing number of organizations are endors- OWL-S is a set of ontologies for describing ing Web service (WS) technology to extend corpo- capabilities, interfaces, and other details of Web rate resources to customers and partners and to services and has been designed to facilitate auto- leverage resources of others. Although Web serv- mated Web service discovery, composition, and ices, based on XML technology, allow interopera- invocation. An OWL-S description comprises a pro- bility, they do not support efficient and flexible file that provides a general description of the Web search, allocation, composition, runtime monitor- service, a process model that describes how the ing, or invocation of those Web services. Aspects of Web service performs its tasks and the Web service security, availability, and trustworthiness of Web interaction protocol, and a grounding that speci- services are not adequately addressed in a suffi- fies how the atomic processes in the Process Model ciently abstract level by current industry stand- map onto WSDL (WSDL:TR) representations (see ards. Through the exploration of how semantically Fig. 5). rich annotations will facilitate these tasks, Seman- There is no explicit place for security annota- tic Web services promise to provide solutions. tions and policies in OWL-S, but the natural Semantic Web services (SWS) is a new research extension toward security is to link policies to direction to support means by which services can the profile. The rationale for this is that policies be given richer semantic specifications. Richer specify general properties of the Web service semantics can provide fuller, more flexible auto- rather than properties that are specific to any mation of service provision, and use and support process. In collaboration with researchers from the construction of more powerful tools and Carnegie Mellon University (Katia Sycara and Mas- methodologies. simo Paolucci) and the University of Maryland, As Web services connect independently con- Baltimore (Tim Finin and Lalana Kagal), we have trolled domains, across application and organiza- begun addressing security issues for SWS by pro- tional boundaries, issues related to service viding semantically meaningful, declarative, ma- protection and security, reliability of results, or chine-processable policy descriptions and validity of source and cost become important. One associated algorithms and tools to match policies crucial issue is the dynamic nature of many trans- of service requesters with policies of service actions where service requesters and service pro- providers. We make use of semantically rich viders interact without any prior direct trust annotations as provided by Semantic Web services relationships. A prominent example is e-science to achieve this goal. In Denker et al., Security for and Grid services where data, computer hardware DAML Web services, we proposed two properties and instruments, and computational processes are for SWS, namely ‘‘securityRequirement’’ and ‘‘se- brought together in a dynamic fashion to achieve curityCapability’’. The range of these properties is the best results. In these situations, trust relation- the ‘‘SecurityMechanism’’ class from the ontolo- ships must be established on the fly and for gies presented in the previous section. These a limited purpose and time. To facilitate such flexible establishment of trust, there is a need for formalisms to express security policies in ways that provides software agents can access them and use them to Resource Service make choices as to which service to engage. presents supports describedBy OWL-S ServiceProfile ServiceGrounding ServiceModel Our work is developed in the context of Web service descriptions in OWL-S (OWL-S coalition: Figure 5 Top level OWL-S ontology. 56 G. Denker et al. properties allowed us to describe WS and agents in include constraints over different attributes of the terms of requirements, such as ‘‘service requires requester, the service, and the content in general. authentication with X509 certificate’’, and their For example, the policy of a stock quote service is capabilities, such as ‘‘Agent can provide smart that the service is available only when the stock card credential’’. These descriptions are static in market is open. This policy describes the condi- the sense that they are not described in terms of tions under which the service is available, and actions, but rather in terms of security classes these conditions are contextual as they include the (such as the restriction classes described in the time when the service is invoked. Along with previous section). To gain more expressiveness for restricting access to services, policies can be used security characterizations, we proposed to extend to safeguard a client’s or a service’s privacy and the ontological approach with policies. confidentiality. We address three kinds of policy: authorization, privacy, and confidentiality. An authorization pol- Policies for SWS icy is defined as a set of rules that restrict access to a service. These policies constrain access to the In addition to the abstract security notations that service to only certain clients and under certain we illustrated, an aspect that is gaining increasing circumstances. For example, an authorization interest in the Semantic Web is generic security policy of a university printer service states that policies. Consider, for example, privacy issues in only members of the CS department are allowed to online transactions. Today, online transactions access the service. In this example, the policy have humans in the loop, where individuals peruse describes the credentials required for access, the various policies on privacy concerns and con- which is the membership of the CS department. tracting assumptions that online sites publish, and Privacy policies specify what information can be then choose whether or not to make use of the exchanged, the legitimate uses of the information, service. For automated use of Web resource, e.g., and the conditions under which this exchange is via software agents acting on behalf of users, it is possible. For instance, the privacy policy of a user therefore important to provide technology that states that the user’s Social Security number allows software agents to express their preferred should not be disclosed to anyone. Privacy policies policy with respect to their own privacy concerns specify restrictions not only on data exchanged, (i.e., the privacy concerns of the user on whose but also on the recipient after the receipt of data. behalf they are acting) and to validate that the Consider, for example, a service that states that it expressed policy would be carried out by the will not distribute any details it receives as input. service providers. This might be an important requirement for a re- In Kagal et al. (2004) we propose to extend the quester who requires privacy. This privacy policy security framework introduced in the previous can be interpreted as an obligation on the Web section through the addition of annotations about service and can then act as a contract. In this way, the security and privacy policies of services ex- if after invocation, the service does provide the pressed in Rei which allows rules and constraints to user’s details to a telemarketer, the user can take be defined over domain-specific ontologies. This legal action against the service based on the policy information is used in service selection and policy. invocation. We propose policies as an extension of Closely linked to privacy policies are confiden- the security requirements of services and suggest tiality policies that describe cryptographic char- the addition of a property, called policyEnforced, acteristics of the input and output parameters of defined as a subproperty of securityRequirement a service. A requester’s confidentiality policy (see http://www.daml.org/service/owl-s/security. might state that all communication must be html, serviceSecurity.owl). The policyEnforced encrypted. This policy is matched against the property describes the different policies that must process model of the service to verify that the to be enforced for the correct execution of service indeed performs as required. service. Policies are basically rules of behavior over The key idea is to integrate policies into the different attributes of the requester, service, and representation of Semantic Web services to pro- any context. To describe policies, we use Rei vide security at various levels. Policies provide (Kagal et al., 2002, 2003), a logic-based language specifications that restrict who can use a service for policy specifications based on RDF and RDF under what conditions, how information should be Schema (RDFS). Rei is a declarative policy lan- provided to the service, and how provided in- guage that includes notions of logic-like variables formation will be used later. These specifications for describing different kinds of conditions that are Security in the Semantic Web using OWL 57 not directly possible in OWL. For example, it is in large-scale, open, distributed systems that has possible to specify in Rei that the uncle of the been widely deployed. owner of the pay-for-use service is authorized to The policy languages described above have use the service free of charge. These variables are some common limitations that make them difficult defined as type ‘‘Variable’’ of the Rei ontology, to extend for the environment in which semantic and the unification of variables is carried out in the Web services will be used. (1) They do not handle same fashion as Prolog. Rei is modeled on the basis delegation as required in dynamic environments. of deontic concepts of permissions, prohibitions, The policy languages we propose add a series of obligations, and dispensations. These constructs constraints at every level of delegation. This have three main attributes: actor, action, and allows control over not only who can delegate constraint. Constraint specifies conditions over but also to whom they can delegate and under the actor, action, and any other context that must what conditions. (2) They do not support justifica- be true at the tune of the invocation of the action tion and advising that is required for greater or service. These deontic constructs are linked to autonomy. (3) They use syntactic languages that policies through the ‘‘granting’’ class that allows cannot be easily modified to work with different additional constraints to be attached to the de- domain-specific information. ontic rule. These constructs allow Rei to model authorization, privacy, and confidentiality policies in terms of what an entity can/cannot do or must/ Conclusions and future work must not do. Associated with the policy language is a policy Information assurance, security, and privacy have engine that interprets and reasons over the moved from narrow topics of interest to informa- policies and domain information to make decisions tion system designers to become critical issues of about applicable negative/positive permissions fundamental importance to society. As such, they and prohibitions. So far, we have concentrated also play an important rule in Web-based applica- on the following two tasks: (i) provision of tions and newer technology such as Semantic Web authorization, privacy, and confidentiality policies applications. These applications need the capabil- for SWSs, and (ii) design of matchmaking and ity for agents, devices, and services to seamlessly compliance checking algorithms on the basis of interact while preserving appropriate security, semantic annotations, policies, and properties privacy, and trust. of the requester, the service, and the general Meeting this challenge requires realizing four context. high-level objectives: (1) to advance the theory Other work in the area of trust and privacy and practice of security, privacy, and trust of Web- policies for the Semantic Web such as Gandon and based interactions by providing technology for Sadeh and Bradshaw et al. (2003) is also relevant trust in the Semantic Web and trust worthy, for our work, although this work is not specifically semantically annotated Web services; (2) to pro- targeted toward Semantic Web services. vide declarative policy representation languages, There exist other policy languages, such as KAoS ontologies, and inference algorithms for security, (Bradshaw et al., 2003), Ponder (Damianou et al., trust and privacy management, enforcement, and 2001), Security Policy Language (SPL) (Ribeiro negotiation; and (3) to prototype software tools et al., 2001) and Delegation Logic (DL) (Li et al., allowing system designers and end users to both 2000). KAoS allows policy specification on the basis specify and verify policies for trust and privacy. of OWL constructs. The advantage of our approach In this paper we have mainly addressed the is the explicit use of variables that make policy knowledge representation and some of the rea- expressions more expressive. Ponder is a flexible soning issue for trust and security in the Semantic and expressive policy specification language, but it Web. Enforcement mechanisms, automatic nego- does not lend itself to being useful for Semantic tiation and tools for SW and SWS security are much Web services as it is more of a syntactic language. less developed and provide ample opportunities Ponder allows definition of positive and negative for future research. These opportunities include: authorization policies (access control), informa- first, building semantic abstractions on current and tion filtering (transforming requested information emerging Web standards for security, trust, and into a suitable format), and delegation positive privacy to ensure wide societal adoption and de- and negative. SPL is an access control language for ployment; second, incorporating policy models security policies with complex constraints. DL is into the descriptions of services and agents that a logic-based, computationally tractable, knowl- act on behalf of users enables policy-based service edge representation that deals with authorization discovery, selection, composition, and monitoring; 58 G. Denker et al. third, designing algorithms that use declarative Damianou N, Dulay N, Lupu E, Sloman M. The Ponder policy policy descriptions enables reasoning about policy specification language. In: Lecture Notes in Computer compatibility and policy negotiation, and facili- Science, 1995, 2001. Della-Libera G, Dixon B, Garg P,Hallam-Baker P,Hondo M, Kaler C, tates implementing enforcement mechanisms et al. Web services trust language (WS-Trust).!http://www. transparent to end users. Finally, users, system 106.ibm.com/developerworks/library/ws-trust/O 2003. designers, and administrators can use intuitive Denker G, Kagal L, Finin T, Paolucci M, Sycara K. Security for policy engineering tools to specify and validate DAML Web services: annotation and matchmaking. In: effective policies for security, privacy, and trust. Fensel D, Sycara K, Mylopoulos J, editors. Proceedings of the 2nd international Semantic Web conference (ISWC 2003) The technical advances achieved will signifi- Sanibel Island, FL, LNCS 2870. Springer; October 2003. cantly impact our ability to engineer open and Gandon F, Sadeh N. A semantic e-wallet to reconcile privacy flexible information services that are secure, and context awareness. In: Fensel D, Sycara K, Mylopoulos J, support enforceable privacy policies, and incorpo- editors. Proceedings of the 2nd international Semantic Web rate models of trust. This satisfies growing require- conference (ISWC 2003) Sanibel Island, FL, LNCS 2870. Springer; October 2003. p. 385e401. ments in education, commerce, and government !http://www.w3.org/TR/wsdl/O. applications. IBM. EPAL 1.1.!http://www.zurich.ibm.com/security/ enterprise-privacy/epal/Specification/index.htmlO. Kagal L, Finin T, Joshi A. A policy language for a pervasive computing environment. In: IEEE 4th international workshop on policies for distributed systems and networks; 2002. Kagal L, Finin T, Joshi A. A policy language for pervasive References systems. In: Fourth IEEE international workshop on policies for distributed systems and networks; 2003. Atkinson B, Della-Libera G, Hada S, Hondo M, Hallam-Baker P, Kagal L, Finin T, Paolucci M, Srinivasan N, Sycara K, Denker G. Klein J, et al. Web services security (WS-Security).!http:// Authorization and privacy for Semantic Web services. In: www-106.ibm.com/developerworks/webservices/library/ IEEE Intelligent Systems; 2004. ws-secure/O; 2002. Lassila O, Swick R. Resource Description Framework (RDF) Bartel M, Boyer J, Fox B, LaMacchia B, Simon E. XML-signature model and syntax specification.!http://www.w3.org/tr/ syntax and processing rules.!http://www.w3.org/ rec-rdf-syntax/O; 1999. TR/2001/PR-xmldsig-core-20010820/O; 2001. Li N, Grosof B, Feigenbaum J. A practically implementable and Berners-Lee T. Semantic WebdXML2000.!http://www.w3. tractable delegation logic. In: Proceedings of 2000 IEEE org/2000/Talks/1206-xml2k-tbl/slidel0-0.html/O; 2000. symposium on security and privacy (S&P’OO). IEEE Computer Berners-Lee T, Hendler J, Lassila O. The Semantic Web. Society; 2000. p. 27e42. Scientific American; 2001 Manola F, Miller E. RDF primer.!http://www.w3.org/TR/ Box D, Curbera F, Hondo M, Kale C, Langworthy D, Nadalin A, rdf-primer/O; 2003. et al. Web services policy framework (WS-PoIicy).!http:// McGuiness DL, van Harmelen F. OWL Web Ontology Language www-106.ibm.com/developerworks/library/ws-polfram/O; overview.!http://www.w3.org/TR/owl-features/O; 2003. 2003. Ribeiro CN, Zuquete A, Ferreira P, Guedes P. SPL: an access Bradshaw J, Uszok A, Jeffers R, Suri N, Hayes P, Burstein M, control language for security policies with complex con- et al. Representation and reasoning for DAML-based policy straints. In: Network and Distributed System Security and domain services in KAoS and Nomads. In: AAMAS’03, July Symposium (NDSS’Ol); 2001. 14e18 Melbourne, Australia. Web Ontology Working Group: OWL.!http://www.w3.org/ OWL-S Coalition: OWL services.!http://www.daml.org/ 2001/sw/WebOnt/O. services/O. WSDL: Technical report, !http://www.w3.org/TR/wsdl/O. Costello R, Jacobs D. A quick introduction to OWL Web Ontology W3C: APPEL. W3C working draft.!http://www.w3.org/TR/ Language.!http://www.xfront.comO; 2003. P3P-preferences/O. Cranor L, Langheinrich M, Marchiori M, Presler-Marshall M, W3C. Handling privacy in WSDL 2.0.!http://www.w3.org/ Reagle J. Platform for privacy preferences (P3P); 2002. TeamSubmission/2004/SUBM-p3p-wsdl-20040213/O.