EPAL Bibliographic Information
EPAL Version 1.74. Enterprise Privacy Authorization Language (EPAL). Edited by Matthias Schunter (IBM Zurich Research Laboratory, Switzerland). IBM Research Report. Date: 2003/05/05. Approximately 70 pages. Latest public version URL: http://www.zurich.ibm.com/security/enterprise-privacy/epal. Authors: Paul Ashley (IBM Tivoli Software), Satoshi Hada (IBM Research), Günter Karjoth (IBM Research), Calvin Powers (IBM Tivoli Software, USA), Matthias Schunter (IBM Research). Appendix 7 provides the complete XML Schema for EPAL.
Relationship of EPAL to Other Specifications
Appendix 6 of the [version 1.74] EPAL specification provides a "Technological Context of EPAL" with reference to W3C's P3P, CPExchange, and XACML. Excerpts:
A P3P policy may contain the purposes, the recipients, the retention period, and a textual explanation of why this data is needed. P3P defines standardized categories for each kind of information included in a policy. Unlike P3P, EPAL defines the privacy-practices that are implemented inside an enterprise. Since this depends on internal details of the enterprise, it results in much more detailed policies that can be enforced and audited automatically. However, the resulting privacy guarantees can sometimes be simplified as a P3P promise that is offered for the users of the services...
The Customer Profile Exchange Specification defines a data format for disclosing customer data from one party (customer/enterprise) to another... The main focus of CPExchange lies in standardizing the data exchange format. The privacy meta-information is less expressive than EPAL. Consequently, data disclosed using CPExchange may be controlled with EPAL policies instead of using their privacy meta-data.
XACML is a general purpose and extensible access control language. Access control is a tool to define and later decide whether a user U is allowed to perform an action A on an object O. XACML lacks the privacy-specific notion of purposes. Unlike XACML, EPAL has an explicit notion of purposes and a syntax that simplifies the formalization of privacy policies..." Note 2005-01: With the publication of XACML Version 2.0, there is a new Privacy Profile of XACML. See also "The Relationship Between XACML and P3P Privacy Policies."
- Update 2003-07-09: EPAL V1.1. "IBM Releases Updated Enterprise Privacy Authorization Language (EPAL) Specification."
- EPAL Reader's Guide to the Documentation
- Enterprise Privacy Authorization Language (EPAL). Specification version 1.74 or later.
- XML Schema of EPAL 1.0. Files: cs-xacml-schema-policy-01.xsd; epal-interface-query.xml; epal-interface-ruling.xml; epal-interface.xsd; epal-policy.xml; epal-vocabulary.xml; epal.xsd. Anne Anderson noted [2003-05-09] that EPAL "imports xacml-context:Request and xacml:Policy, and xacml:Condition is the condition syntax. Examples make use of urn:...xacml:1.0:data-type:x500Name, urn:...xacml:1.0:data-type:rfc822Name, a bunch of our FunctionIds, xacml:AttributeDesignator, etc."
- "Enterprise Privacy Authorization Language (EPAL)" - Main reference page.
- Security, Privacy, and Personalization. General references.