Policy By Reference Profile

Note: this area supports the collaborative building of a Policy By Reference Profile. This profile is sponsored by http://www.tscp.org

Use cases

  1. Information labeling (baseline): security labels, applied to documents, indicate all the protection policies that must be enforced
    • The security labels, targeted for human-users (procedural enforcement) and systems (systemic enforcement), indicate the identifier of the policies
    • The part of the label targeted for systems contains the identifier of the applicable policy
  2. Information labeling (policy update): some policies, such as export control policies, may change overtime, and these changes must be applied on all documents these policies apply
    • The documents do not change, in contents or metadata. The policy identifier indicated by the security label allows to retrieving the updated policy access rules


  1. Policy Authority: the entity (organization) who is authoritative over a given policy. For example, the US Directorate of Defense Trade Control (DDTC) is Policy Authority of International Traffic in Arms Regulations (ITAR) export control policy
  2. Policy Data Binding: mechanism that allow to determine the policy rules that must apply to a data element
  3. Policy Reference: a (resource) attribute that is a reference allowing appplications to retrieve the associated policy rules
  4. Non-versioned Policy Reference: there is no version associated to the policy reference: implictely indicates the latest version
  5. Versioned Policy Reference: there is version associated to the policy reference: explicitely indicates the specified version

Statement of requirements

  1. Data resources may have multiple policy references
    • All the applicable policies must permit access
  2. Depending on policy authority requirement, policy identifiers can be either non-versioned or versioned

Open Issues

  1. Achieving agreement on attributes and values has proven difficult in practice (Hal)

    • Communities of interest must agree upon common operating rules, inclusive of business and technical profiles
  2. Does a policy-id refer to one policy only or also to contained policies? (Hal)

    • A policy-id refers to one policy only. The policy can be part of a business context, which may needs to be identified as well, for example in order for applications to fetch the containing policy set first, before it can fetch the referred policy. The larger policy-set could be mapped to a policy cohort
  3. Where does one find the authoritative instances of referenced policies? How do you know this policy is the same one as it was intended? Policies can be edited to correct errors for example and their id not necessarily changed. (Hal)

    • The authoritative instance of referenced policy must be available by the associated Policy Authority. Policy Authorities can modify policies and hence must keep track of versions of the policies that they emit
  4. Should a policy reference refer to Policy Id and Version? (Hal)

    • This is a decision of the policy authority, and both cases must be supported. So a policy reference may be versionned or non-versionned
  5. What is the trust model? If the PEP says to use a particular policy, does that mean it is automatically trusted? (Hal)

    • The PEP is must be trusted in providing the PDP with a correct and trustable set of attributes, inclusive of the policy-identifier resource attribute. The PDP must be trusted in considering for evaluation a trusted policy-set, that is related to a trusted protection profile
  6. In practice, there are many use cases where a specified policy for document needs to be combined with other local policies. For example, ITAR regulations and privacy rules may have to be followed everywhere, but a particular web site may further restrict access to members. Does your scheme support that? (Hal)

    • Data resources may have multiple policies and associated access rules; all access rules need to grant in order to grant access (DenyOverride). The example you provided is supported by having two labels: one for an ITAR TAA License, and one for, say, an Intellectual Property License

  7. If you are trying to bind a policy to a specific resource, why not have the policy reference the policy id or have a special value meaning ‘the resource I am attached to’, rather than mapping from request to policy? (Hal)

    • This profile is only applicable to use-cases that require explicit indication (on the resource) of all the policies that need to apply, so the resource must know of all the policies that need to apply. As you suggest there are use-cases where policies know about resources they are attached to, and these are not covered bby the proposed profile


  1. How is the policy reference represented?
    • As a resource attribute, with name "urn:oasis:names:tc:xacml:3.0:resource:policy-id"
  2. How is the policy reference version represented (whenever applicable)?
    • To-DO

Policy Reference Profile (last edited 2012-07-13 14:39:07 by jean-paul.buu-sao.tscp)