In the field of web services, requirements and capabilities can be described using XML according to the WS-Policy specification [ 1 ]. The policies can be applied to the web services message exchange, which is commonly machine-to-machine communication with multiple participants, for assuring security goals. This leads to the need for WS-Policy intersection, a technique used when two or more web services want to communicate and fulfill each others policy. Currently, this approach can only handle the case that intersection within the participating policies exists [ 2 ]. Otherwise it fails and the further communication cannot be achieved.

Hence, our motivation is to find a way to make intersection possible even in the case that there is no direct intersection by adjusting one or both party’s policy, e.g. by adding some policy aspects. This is achieved by a multi-layer approach: First, every WS-Policy, which can be seen as a set of Boolean terms, is converted into its disjunctive normal form (DN F ), so that policies are easy to compare and finding matching terms is simple. In the case that there is a match, the decision for the participants is obviously done. If there is no direct intersection, this paper introduces a model for an arbitrary number of parties, that computes these adjustments using partial order sets to enforce policy intersection for all participants.

WS-Policy and Policy Intersection WS-Policy is a framework for describing policies using XML [ 3,1 ]. In the context of web services, it is commonly used to specify which parts of a message should be signed or encrypted using WS-SecurityPolicy [ 4 ]. The structure of a WS-Policy can be seen as a Boolean term, but written in XML. It consists of an enveloping <Policy/> element which can contain arbitrary AND (element: <All/>) and XOR (element: <ExactlyOne/>) expressions. For each term, there exists a disjunktive normal form (DN F ). It is an XOR-junction of propositions derived from the compact form using boolean algebra [ 5 ]. Consider the following example, which does not use any XML for simplicity:

A1 ∧ (A2 ⊕ A3) D=NF

A1 ∧ A2 ⊕ A1 ∧ A3

A|ltern{aztive}1 A|ltern{aztive}1

From the DN F , one can easily see the policy alternative: They are a bundle of assertions which must be fulfilled.

The WS-Policy Intersection process identifies compatible policy alternatives included in all parties policies or returns nothing if there are no matches [ 6 ]. Two alternatives are compatible, if the sets of included assertions are identical. 2.2

Ordered Sets and Hasse Diagrams A partially ordered set (poset) is a mathematic tool generalizing the concept of arranging and ordering elements. In a poset, there exists a relation between pairs of elements, e.g. the ”≤”-relation, so that the elements can be compared. When this relation exists for each possible pair, then the poset is called a chain (or total ordered set). In addition a poset in which no two distinct elements are comparable is called antichain.

A Lattice is an ordered set where every pair of elements has a least upper bound (LUB) and a greatest lower bound (GLB). In our approach we assume that the posets are all Lattices.

A Hasse or Lattice diagram is a visualization of the finite poset in the form of a drawing, in which nodes are elements of the poset and arrows between related nodes represent the order relation between these elements [ 7,8 ]. In the next section we introduce an example providing a detailed overview of the usage of Hasse diagram. 3

The evaluation of WS-Policy Intersection consists of two main layers as shown in Figure 1:

The preparation layer is responsible for converting each policy into its corresponding DN F . This is achieved either manually or using an software-tool [ 9 ] and Policy2 . .

.

Policyn

Preparation Generate DN F Intersection? o N Yes

Evaluation Bound Extract

Decide

Result is outside the scope of this research. Afterwards, the policy intersection examination unit compares the DN F policies and forwards the results to the evaluation layer. If there is intersection, which means compatible alternatives exist, they are directly forwarded to the decision making unit, which chooses the strongest alternative. In the case of no intersection, the bound extraction unit takes part. It first identifies all ordered sets, which can be chains like AES128 < AES256 or anti-chains which cannot be compared, e.g. SignHeader and SignBody. Afterwards, all sets are combined to one Hasse diagram as shown in Figure 2.

{AES256, SignHeader+Body} {AES256, SignHeader} LUB {AES128, SignHeader+Body} {AES256, SignBody} A1P1 {AES128, SignHeader} {SignHeader}

GLB {AES128} {AES256} ∅

1 {AES128, SignBody} AP2 {SignBody} Consider the two policies P1 and P2, having the alternatives AP1 1 as 1 and AP2 shown. Obviously, they are not compatible. Using the Hasse diagram, the least upper bound (LUB) and the greatest lower bound (GLB) can be easily extracted. In general if we consider that the posets used are all lattices, where each two elements have a LUB/GLB, then we can easily use the meet and join for finding these bounds [ 8 ]. Finally the bounds are forwarded to the decision unit, which has to decide if the GLB or either the LUB should be used.

Note that building the DN F can drastically increase the size of each policy and thus, building the Hasse diagram might lead to a very large model. Nevertheless, the authors believe to the best of their knowledge that this approach will hold for real examples. We stress that a real implementation and evaluation is needed to prove this. 4

Researchers in [ 10 ] investigated a mechanism for calculating compatibility of alternatives. An approach for comparing policies and checking compatibility between alternatives in terms of its assertions to reach intersection is shown in [ 11 ] and [ 12 ]. Policy reconciliation algorithm, a technique to reach policy agreement between two party communication, is introduced in [ 13 ]. Another research using a web ontology language (OWL-DL) is based on the idea that policy assertions and alternatives are mapped in to program classes using OWL to measure compatibility [ 6 ]. Our research focuses on how to examine intersection and find solution for policy agreement by means of partial ordering. 5

This paper presents a model for WS-Policy Intersection using Partial ordered sets. It is the first solution which is able to (1) handle more than two parties and (2) makes proposals for the case that the policies are not directly compatible.

For future work we plan to investigate a real protocol for multi-party negotiation which is applied to the needs and capabilities of a Web services. Additionally, we will add an implementation to show the practical usability.