Supporting Organizationally Accepted Practice (SOAP)
University of Southern California
Information Sciences Institute
Project Staff
Objective
The SOAP project is developing extensions to existing network
infrastructure to enable application client and server software to
follow accepted practices regarding information flow, server
selection, and acceptable use of network services. The software being
developed allows applications and users to specify access control
policies on information objects, enforce accreditation requirements
for network services, and specify confidentiality, integrity, and
privacy policies for disseminated data.
Technical Approach
Client and server software for the Prospero Directory Service (PDS)
has been extended by including user attributes in requests for data
that are interpreted by the server. Additionally, dissemination
constraints stored with data are returned to the application client
where they may be interpreted and used to prevent unintentional content
release through inclusion in other documents or forwarding.
Applications use the attributes regarding information flow to provide
appropriate protection, collect payment for access to intellectual
property, and to prevent unintentional dissemination of sensitive, but
unclassified, information.
Constraints on server selection allow applications running in
organizations like the federal government, or more specifically the
military, to reduce or eliminate dependence on commercial network
services that do not meet established criteria for reliability,
security, or authority to do business with them.
Confidentiality and integrity protection of data are provided through
extensions to the Asynchronous Reliable Delivery Protocol (ARDP) using
security services from the DARPA funded SILDS effort. ARDP is a
request-response transport protocol that has been developed as part of
the SOAP and GOST efforts, and is used as a transport protocol by the
Prospero Directory Service.
Using ARDP's security context, clients and servers can perform
integrity and privacy protection on data and transmit authentication,
authorization, and payment information to application servers. The
integration of security with ARDP provides for service accreditation,
access control, and intellectual property rights recognition and
enforcement.
Accomplishments GFY 1998
- A new secure version of the ARDP transport protocol has been
designed and developed. ARDP is a lightweight, reliable
request-response transport protocol. The integration of security
enables the protocol to provide secure client-server
communication. This functionality includes data privacy and integrity
functions using Kerberos-based encryption, authentication, and
integrity. Development of ARDP integrates components from the DARPA
funded SOAP, GOST and SILDS projects.
- An annotation framework to assist users in finding pertinent
information in distributed systems has been designed and
developed. The framework consists of annotation semantic categories,
determination of the expertise of the annotators, and mechanisms for
payment for services. This framework is offered as an Application
Programmers Interface (API) allowing developers to build applications
on top of it.
- A Distributed Intellectual Property Protection Policy (DIPP)
module was developed as an extension to the protocol governing the
dissemination of data by intermediate servers. This provides control
on the release of sensitive content from cache servers. DIPPs provide a
mechanism to include access control information along with cached
data, and to forward requests to other servers when these constraints
require further evaluation. One application of the terms and
conditions pointer embedded within a DIPP is in support of querying
and declassification of data by an appropriate authority when DIPP
protected data is accessed beyond the policies specified by the
DIPP.
Technical Plan for GFY 1999
- Complete the development of the collaborative filtering effort
for the Prospero e-mail system. The framework for collaborative
filtering will provide an additional method for controlling the flow
of information through an organization, based on annotations by initial
readers, and according to job classification and user preference.
- Support the use of the Prospero Directory Service by other
projects at other organizations, including the VISAGE project from the
Maya Design Group.
- Add an LDAP interface to the Prospero Database.
Technology Transition
The protocols described in this summary are being discussed at IETF
meetings to get necessary input from users of these technologies and
to facilitate tproject.
Technology will be transferred through channels that have already been
established as part of previous work on the Prospero Directory
Service, and the Prospero Resource Manager. Prior releases of PDS have
been distributed widely, and it has been used as an embedded service
by applications running from more than 100,000 systems on the
Internet. Stand-alone modules for incorporation with application are
available, allowing the resulting extensions to be used by others.
ISI is working with the Maya Design Group of Pittsburgh, PA, who are
utilizing Prospero for data storage and access in a distributed
implementation of VISAGE.
ISI worked with the venture capital firm, Media Technology Ventures, to
transfer the caching technology to a startup firm, Brevity Technology,
which intends to make a meta-directory product.
Former Students
Konstadinos
Kutsikos, Graduate Research Assistant
last modified 07/17/98 sg