W3C Workshop on Constraints and Capabilities for Web Services
Declarative Policies for Describing Web Service Capabilities and Constraints
October 13, 2004
Though the description of capabilities and constraints for web services is an important problem, we believe that is it part of a much larger problem : controlling the behavior of autonomous entities in open, dynamic environments. This problem deals with not only with the specification of attributes (i.e. privacy restrictions, access control rules, communication requirements) that will enable interacting entities to behave appropriately, but also with the specification of all aspects of the behavior of entities (i.e. what entities can or must or may do under certain circumstances). Actually, the former specification is a subset of the latter. We believe that research into governing behavior of autonomous entities like agents and web services will provide suitable solutions to these kind of specifications.
We propose that behavior can be described using declarative policies that are based on deontic concepts including permissions, obligations, claims, prohibitions, and privileges. These policies will describe what the ideal behavior for an entity is in a certain context. For example, the constraint 'You must use HTTP Authentication when accessing this service' can be modeled as appropriate behavior for an entity (agent, web service, human user) that wants to use a service. The entity is 'permitted' to access the service if it meets a certain condition i.e. uses HTTP authentication. It can be described as an access control policy for the service. However, these policy specifications should not only be able to represent security, but all aspects of behavior including privacy, management, conversation, etc. Another example is 'You MAY use GZIP compression'. This can represented as a 'privilege' or a 'claim', but it again represents the ideal behavior of the entity. Negative modalities should also be possible. For example, 'You SHOULD not use my contact details for marketing of services or products' prohibits the entity (in this case a website) from performing a certain action and 'Authentication is not required if a valid cookie is set' is a dispensation that frees the entity from the obligation of authenticating itself.
Even though these policies represent how the entity should ideally behave, whether the entity conforms to the policy depends either on the entity or the enforcement mechanism. In the case of web services, it is possible to include the enforcement mechanism into brokering services like the OWL-S MatchMaker or Virtual Machine, which act as a liaison between the interacting entities. However, in truly dynamic open environments, there will be peer-peer communication and entities will be responsible for their own behavior. So, along with enforcement, we also propose a more normative approach, where each entity is capable of reasoning over its own policies and goals, and the policies of the entities it needs to interact with, in order to infer how it should behave. In order to meet this requirement, an entity should be able to understand the policies applicable to it. We propose that machine-understandable specification languages should be used to describe policies over shared ontologies. These policies should not only include norms of different kinds of behavior but also model the consequences of deviating from the policy in order to influence an entity's decision to adhere to the policy.
Oracle Conference Center, Redwood Shores, CA, USA
Downloads: 8035 downloads
Google Scholar Citations: 23 citations