Skip to Content Java Solaris Communities Partners My Sun Sun Store United States Worldwide

Research Home
»  Spotlight Articles
»  Projects
»  Publications
»  People
»  Awards
»  Events
»  Downloads
»  Internships
»  Contrarian Minds
»  About Sun Labs
The Relationship Between XACML and P3P Privacy Policies

The Relationship Between XACML and P3P Privacy Policies

Author:  Anne Anderson <Anne.Anderson@Sun.COM>
Version: 1.12
Updated: 04/11/11 (yy/mm/dd)
Copyright(C) 2004 Sun Microsystems, Inc. All Rights Reserved.

Introduction

This note addresses the relationship between the OASIS eXtensible Access Control Markup Language (XACML) and the W3C Platform for Privacy Preferences (P3P) as two privacy policy languages.

Background

The OASIS eXtensible Access Control Markup Language (XACML) is a powerful and flexible language for expressing access control policies; Version 1.0 achieved OASIS Standard status in February of 2003, and has since been widely adopted, including three publicly available implementations, one of which is open source. XACML was designed with the requirements for implementing privacy policies in mind, as evidenced by the medical record examples in Section 4 of the XACML Specification. In order to aid interoperability in the specification of privacy policies, a Privacy policy profile of XACML was defined as part of XACML 2.0; XACML 2.0 is currently progressing toward OASIS Standard status. The Privacy profile does not use any new features in the core XACML 2.0, and can be used equally well with XACML 1.0 or XACML 1.1.

The Platform for Privacy Preferences 1.0 (P3P1.0) Specification became an official W3C Recommendation in April 2002. The W3C's introduction to P3P says:

The Platform for Privacy Preferences Project (P3P), developed by the World Wide Web Consortium, is emerging as an industry standard providing a simple, automated way for users to gain more control over the use of personal information on Web sites they visit. At its most basic level, P3P is a standardized set of multiple-choice questions, covering all the major aspects of a Web site's privacy policies. Taken together, they present a clear snapshot of how a site handles personal information about its users. P3P-enabled Web sites make this information available in a standard, machine-readable format. P3P enabled browsers can "read" this snapshot automatically and compare it to the consumer's own set of privacy preferences. P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and, most importantly, enables users to act on what they see.

Relationship

As can be seen from the description above, P3P is a language primarily aimed at expressing privacy policies in a form that users can understand; XACML is a language primarily aimed at expressing privacy policies in a form such that computer systems can enforce them. P3P expresses privacy policies at a high level in generic user and data category terms; XACML expresses privacy policies in terms of specific user identities or system-assigned user roles or other attributes, and in terms of specific data resource identities or system-assigned resource descriptors.

The expressions in the two languages should be compatible. That is, if a P3P policy says that "the only data the site collects on its home page is the data found in standard HTTP access logs", then the corresponding XACML privacy policy will allow a "write" operation to the specific file that contains the source for the site's home page where the data to be written is the content of specific fields (clientAddress, userName, localTime, bytesSentToClient, referrer, etc.) in the specific file containing the HTTP access log. The XACML policy is a concrete application of the P3P policy to actual users, resources, actions, and purposes.

In another example, a medical facility may need to comply with the U.S. Dept. of Human Services HIPAA Privacy Rule . This policy refers to "protected health information" or "individually identifiable health information". It says that protected health information MUST be disclosed to an identifiable individual or the individual's personal representatives whenever they request access. This requirement would be expressed in generic terms in a P3P policy. In the corresponding XACML policies, this requirements would be made concrete by listing the specific information fields in specific computer-readable files that qualify as "protected health information". It would require a match between the accessing user's authenticated identity and the fields in those files that specify the identifiable individual or individuals who have been named as personal representatives.

XACML policies express not just privacy policies, but policies for any type of access to resources. In this way, a complete set of XACML policies can be audited to ensure that privacy policies are not being circumvented via other access control policies.

Summary

P3P policies and XACML policies serve complementary purposes. P3P policies express privacy policies in terms that human users can understand; they express externally published policies in a generalized, high-level form. XACML policies express the same privacy policies in terms that computer access control mechanisms can understand and enforce; they express policies in a fine-grained, internally applicable form. The two levels of policy should be consistent with each other, and together they enable an auditor to determine whether the enterprise is complying with its stated privacy policies.

Would you recommend this Sun site to a friend or colleague?
Contact About Sun News Employment Privacy Terms of Use Trademarks Copyright 1994-2008 Sun Microsystems, Inc.