Obligations in PTaCL

Conrad Williams, Jason Crampton

Research output: Chapter in Book/Report/Conference proceedingChapter

Abstract

Obligations play an increasingly important role in authorization systems and are supported by languages such as XACML. However, our understanding of how to handle obligations in languages such as XACML, particularly in exceptional circumstances, is hampered by a lack of formality and rigor in the existing literature, including the XACML standard. PTaCL is an attribute-based policy language that makes use of tree-structured policies and targets, like XACML. However, PTaCL is more general than XACML and has rigorous operational semantics for request evaluation, from which a policy decision point can be implemented. In this paper, we enhance PTaCL by extending the policy syntax to include obligations and defining the obligations that should be associated with an authorization decision. Our final contribution is to extend our analysis to cases where policy evaluation may return an indeterminate value. We demonstrate that obligation semantics for PTaCL coincide with those of XACML when there is no indeterminacy. More importantly, we show that our obligation semantics provide a principled method for determining obligations for any policy-combining algorithm and the set of possible obligations in the presence of indeterminacy, thereby providing considerable advantages over existing approaches.
Original languageEnglish
Title of host publicationSecurity and Trust Management
Subtitle of host publication11th International Workshop, STM 2015, Vienna, Austria, September 21-22, 2015, Proceedings
EditorsSara Foresti
PublisherSpringer
Pages220-235
Number of pages16
ISBN (Electronic)978-3-319-24858-5
ISBN (Print)978-3-319-24857-8
DOIs
Publication statusPublished - 22 Sept 2015

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume9331

Cite this