The SOAP Project

Supporting Organizationally Accepted Practice (SOAP)

University of Southern California
Information Sciences Institute

Project Staff

B. Clifford Neuman, Scientist and Research Assistant Professor (Project Leader)
Katia Obraczka, Scientist
Steven Augart, Programmer Analyst
Sridhar Gullapalli, Programmer Analyst
Dongho Kim, Graduate Research Assistant
Rebecca Jordan, Project Support
Jeanine Yamazaki, Project Support

Objective

The SOAP project is developing extensions to existing network infrastructure to enable application client and server software to follow accepted practices regarding information flow, server selection, and acceptable use of network services. The software being developed allows applications and users to specify access control policies on information objects, enforce accreditation requirements for network services, and specify confidentiality, integrity, and privacy policies for disseminated data.

Technical Approach

Client and server software for the Prospero Directory Service (PDS) has been extended by including user attributes in requests for data that are interpreted by the server. Additionally, dissemination constraints stored with data are returned to the application client where they may be interpreted and used to prevent unintentional content release through inclusion in other documents or forwarding.

Applications use the attributes regarding information flow to provide appropriate protection, collect payment for access to intellectual property, and to prevent unintentional dissemination of sensitive, but unclassified, information.

Constraints on server selection allow applications running in organizations like the federal government, or more specifically the military, to reduce or eliminate dependence on commercial network services that do not meet established criteria for reliability, security, or authority to do business with them.

Confidentiality and integrity protection of data are provided through extensions to the Asynchronous Reliable Delivery Protocol (ARDP) using security services from the DARPA funded SILDS effort. ARDP is a request-response transport protocol that has been developed as part of the SOAP and GOST efforts, and is used as a transport protocol by the Prospero Directory Service.

Using ARDP's security context, clients and servers can perform integrity and privacy protection on data and transmit authentication, authorization, and payment information to application servers. The integration of security with ARDP provides for service accreditation, access control, and intellectual property rights recognition and enforcement.

Accomplishments GFY 1998

A new secure version of the ARDP transport protocol has been designed and developed. ARDP is a lightweight, reliable request-response transport protocol. The integration of security enables the protocol to provide secure client-server communication. This functionality includes data privacy and integrity functions using Kerberos-based encryption, authentication, and integrity. Development of ARDP integrates components from the DARPA funded SOAP, GOST and SILDS projects.
An annotation framework to assist users in finding pertinent information in distributed systems has been designed and developed. The framework consists of annotation semantic categories, determination of the expertise of the annotators, and mechanisms for payment for services. This framework is offered as an Application Programmers Interface (API) allowing developers to build applications on top of it.
A Distributed Intellectual Property Protection Policy (DIPP) module was developed as an extension to the protocol governing the dissemination of data by intermediate servers. This provides control on the release of sensitive content from cache servers. DIPPs provide a mechanism to include access control information along with cached data, and to forward requests to other servers when these constraints require further evaluation. One application of the terms and conditions pointer embedded within a DIPP is in support of querying and declassification of data by an appropriate authority when DIPP protected data is accessed beyond the policies specified by the DIPP.

Technical Plan for GFY 1999

Complete the development of the collaborative filtering effort for the Prospero e-mail system. The framework for collaborative filtering will provide an additional method for controlling the flow of information through an organization, based on annotations by initial readers, and according to job classification and user preference.
Support the use of the Prospero Directory Service by other projects at other organizations, including the VISAGE project from the Maya Design Group.
Add an LDAP interface to the Prospero Database.

Technology Transition

The protocols described in this summary are being discussed at IETF meetings to get necessary input from users of these technologies and to facilitate tproject.

Technology will be transferred through channels that have already been established as part of previous work on the Prospero Directory Service, and the Prospero Resource Manager. Prior releases of PDS have been distributed widely, and it has been used as an embedded service by applications running from more than 100,000 systems on the Internet. Stand-alone modules for incorporation with application are available, allowing the resulting extensions to be used by others.

ISI is working with the Maya Design Group of Pittsburgh, PA, who are utilizing Prospero for data storage and access in a distributed implementation of VISAGE.

ISI worked with the venture capital firm, Media Technology Ventures, to transfer the caching technology to a startup firm, Brevity Technology, which intends to make a meta-directory product.

Former Students

Konstadinos Kutsikos, Graduate Research Assistant

last modified 07/17/98 sg