INTERNET SECURITY TOPIC

1

• INTERNET SECURITY TOPIC

2
A P3P Preference Exchange Language(APPEL)
Introduction
by W3C working draft
3
P3P Basic

• P3P is designed to inform users about the privacy
  policies of services(Web sites and applications
  that declare privacy practices
• Policies can be parsed automatically by user
  agents

4
Basic P3P interaction process

Inform user about policies
Fetch P3P policy
User agent
User
service
Request a web page
5
Goal of P3P

• It allows Web sites to present their
  data-collection practices in a standardized,
  machine-readable, easy-to-locate manner.
• It enables Web users to understand what data will
  be collected by sites they visit, how that data
  will be used.

6

• ltappelRULE behaviorblock
• ltp3pPOLICYgt
• ltp3pSTATEMENTgt
• ltp3pDATA-GROUPgt
• ltp3pDATAgt
• ltp3pCATEGORIES appelconnectiveorgt
• ltp3pphysical/gt
• ltp3pgtdemographic/gt
• lt/p3pCATEGORIESgt
• lt/p3pDATAgt
• lt/p3pDATA-GROUPgt
• ltp3pRECEIPTIENT appelconnectiveorgt
• ltp3pother-recipient/gt
• ltp3ppublic/gt
• ltp3pdelivery/gt
• lt/p3pRECEIPTIENT gt
• lt/p3pSTATEMENTgt
• lt/p3pPOLICYgt
• lt/appelRULEgt

7
Sample Ruleset in APPEL 1.0

• ltappelRULE behaviorrequest
• ltappelREQUEST-GROUPgt
• ltappelREQUEST urihttp//www/my-bank.com//gt
• lt/appelREQUEST-GROUPgt
• ltp3pPOLICYgt
• ltp3pSTATEMENTgt
  
• ltp3pappelconnectiveor-excatgt
  
• ltp3pours/gt
  
• lt/p3pRECEIPTIENT gt
• lt/p3pSTATEMENTgt
• lt/p3pPOLICYgt
• lt/appelRULEgt
• Explanation This "request" rule only continues
  to match the policy if it has been fetched while
  requesting a Web resource from www.my-bank.com.
  This request element allows the creation of rules
  that only apply to a certain resource or domain.

8
Sample Ruleset in APPEL 1.0

• ltappelRULE behaviorrequest promptyes
• ltp3pPOLICYgt
• ltp3pSTATEMENT gt
• ltp3pSTATEMENTgt
• ltp3ppurpose appelconnectiveor-exactgt
  
• ltp3pdevelop/gt
• ltp3padmin/gt
• lt/p3ppurposegt
• ltp3pDATA-GROUP appelconnectiveor-
  exactgt
• ltp3pDATA refUser.Name./gt
• lt/p3pDATA-GROUPgt
• lt/p3pSTATEMENTgt
• ltp3pDISPUTES-GROUPgt
• ltp3pDISPUTESservicehttp//trustus.org/gt
  
• lt/p3pDISPUTES-GROUPgt
• lt/p3pPOLICYgt
• lt/appelRULEgt
• Explanation User agree to provide its name under
  admin purpose (non-marketing purpose assurance
  from PrivacyProtect and TrustUS) but user still
  like to supervise all data transfer.

9
Matching summary(six connective total)

• Eexpression Xevidence
• If an or connective is given in Eat least one
  of Es contained expressions(if any) match Xs
  enclosed elements(additional enclosed elements in
  evidence X which are not referenced in expression
  E are ignored)
• If an and connective is given in Eall of Es
  contained expressions(if any) match Xs enclosed
  elements(additional enclosed elements in evidence
  X which are not referenced in expression E are
  ignored)
• If an non-or connective is given in Enone of
  Es contained expressions(if any) match Xs
  enclosed elements(additional enclosed elements in
  evidence X which are not referenced in expression
  E are ignored)
• If an non-and connective is given in Enot all
  of Es contained expressions(if any) match Xs
  enclosed elements(additional enclosed elements in
  evidence X which are not referenced in expression
  E are ignored)

10
Matching summary(six connective total)

• If an or-exact connective is given in Eat least
  one of Es contained expressions(if any) match
  Xs enclosed elements(additional enclosed
  elements in evidence X which are not referenced
  in expression E are not ignored)
• If an and-exact connective is given in E all of
  Es contained expressions(if any) match Xs
  enclosed elements(additional enclosed elements in
  evidence X which are not referenced in expression
  E are not ignored)

11
Future work of Current APPEL

• Extensible of behaviors
• Comparison operators for simple numeric
  expression
• Expiration dates