Dagstuhl Seminar 10141
Distributed Usage Control
( Apr 06 – Apr 09, 2010 )
Permalink
Organizers
- Sandro Etalle (TU Eindhoven, NL)
- Alexander Pretschner (KIT - Karlsruher Institut für Technologie, DE)
- Ravi S. Sandhu (The University of Texas - San Antonio, US)
- Marianne Winslett (University of Illinois - Urbana-Champaign, US)
Contact
- Annette Beyer (for administrative matters)
Schedule
In general, access control defines who may access which data, and under which circumstances. A good access control system is at the base of every process which handles confidential information. As an extension to access control, usage control is about defining and enforcing how data may or may not be handled after it has been accessed (e.g., "do not disseminate," "delete after thirty days," "notify me when accessed," “use only for scientific purposes.”) Usage control is particularly relevant when it comes to privacy, protection of trade secrets or intellectual property, digital rights management, and auditing/compliance in the context of regulatory frameworks. Usage control is hence both relevant for society and economics.
While there is a pressing need for usage control, existing solutions are partial – e.g., via access control mechanisms – and often specialized. The problem is particularly challenging in distributed environments where servers, which give away data, can neither see nor control what clients do with the data after their reception. In this setting, enforcement can be accomplished in one of two ways: by ensuring that policies are not violated, or by detecting and reporting violations, online or off-line. These two approaches apply in different technological environments, and they apply to different underlying trust and business models.
With about 50 attendants, the Dagstuhl seminar on Distributed Usage Control has had an overwhelming response to the invitations that were sent out. One noteworthy characteristics of the seminar was its multidisciplinary nature. Security is not only technical; it is a multidisciplinary field that has legal, regulatory and societal aspects too. This makes security research particularly challenging. This Dagstuhl seminar had a technical core, but sparked discussions also from neighboring fields, in particular a plethora of issues related to privacy. This gave rise to three days of lively discussion, with a regular interleaving of general agreements and disagreements.
In sum, the seminar enjoyed a somewhat unexpected focus on privacy-related issues and intense discussions on the general subject of security research and its connection or disconnection with real-world problems. To the surprise of some, there continues to be disagreement on whether 100% security is a desirable goal, even though it is unlikely to be reached, or if pragmatic considerations including cost, feasibility, usability, innovation and fun should rather lead to a risk-based approach that aims at imperfect security, and if the community shouldn’t strive to understand what the risks are, and what imperfect security really is.
- Rafael Accorsi (Universität Freiburg, DE) [dblp]
- Andreas Bauer (NICTA - Canberra, AU) [dblp]
- Lujo Bauer (Carnegie Mellon University - Pittsburgh, US) [dblp]
- Barbara Carminati (University of Insubria - Varese, IT)
- David Chadwick (University of Kent, GB)
- Yanling Chen (Fraunhofer IESE - Kaiserslautern, DE)
- Jason Crampton (Royal Holloway University of London, GB) [dblp]
- Jorge R. Cuéllar (Siemens AG - München, DE) [dblp]
- Sandro Etalle (TU Eindhoven, NL)
- Michael Franz (University of California - Irvine, US) [dblp]
- Dieter Gollmann (TU Hamburg-Harburg, DE) [dblp]
- Marit Hansen (ULD SH - Kiel, DE) [dblp]
- Renato Iannella (NICTA - Brisbane, AU)
- Lalana Kagal (MIT - Cambridge, US) [dblp]
- Günter Karjoth (IBM Research GmbH - Zürich, CH) [dblp]
- Basel Katt (Universität Innsbruck, AT)
- Felix Klaedtke (ETH Zürich, CH) [dblp]
- Prachi Kumari (Fraunhofer IESE - Kaiserslautern, DE)
- Adam Lee (University of Pittsburgh, US)
- Hannah K. Lee (TU Hamburg-Harburg, DE)
- Kristen LeFevre (University of Michigan - Ann Arbor, US)
- Enrico Lovat (Fraunhofer IESE - Kaiserslautern, DE)
- Michael Marhöfer (Nokia Siemens Networks - München, DE)
- Oliver Maschino (TU Kaiserslautern, DE)
- Fabio Massacci (University of Trento, IT) [dblp]
- Frank McSherry (Microsoft Corp. - Mountain View, US) [dblp]
- Stephan Micklitz (Google - München, DE)
- Gerome Miklau (University of Massachusetts - Amherst, US) [dblp]
- Günter Müller (Universität Freiburg, DE)
- Ricardo Neisse (Fraunhofer IESE - Kaiserslautern, DE)
- Sylvia Osborn (University of Western Ontario - London, CA)
- Federica Maria Francesca Paci (University of Trento, IT)
- Andreas Pfitzmann (TU Dresden, DE)
- Frank Piessens (KU Leuven, BE) [dblp]
- Erik Poll (Radboud University Nijmegen, NL) [dblp]
- Bruno Pontes Soares Rocha (TU Eindhoven, NL)
- Alexander Pretschner (KIT - Karlsruher Institut für Technologie, DE) [dblp]
- Ravi S. Sandhu (The University of Texas - San Antonio, US) [dblp]
- Christian Schaefer (DOCOMO Euro-Labs - München, DE)
- Anna Squicciarini (Pennsylvania State University, US)
- Daniel Trivellato (TU Eindhoven, NL)
- William H. Winsborough (The University of Texas - San Antonio, US)
- Marianne Winslett (University of Illinois - Urbana-Champaign, US)
- Artsiom Yautsiukhin (CNR - Pisa, IT)
- Nicola Zannone (TU Eindhoven, NL) [dblp]
Classification
- security / cryptology
- software engineering
- operating systems
Keywords
- data protection
- privacy
- access control
- usage control
- security policies
- trust
- trusted computing
- compliance
- DRM
- information flow