Trust is the top layer of the famous semantic web picture. It plays a crucial role in enabling the potential of the web. While security and privacy do not cover all the facets of trust, still they play a central role in raising the level of trust in web resources. Web services obviously need some form of access control. Moreover, recent experiences with Facebook's ``beacon'' service and Virgin's use of Flickr pictures have shown that users are not willing to accept every possible use (or abuse) of their data. Therefore, the application of suitable policies for protecting services and sensitive data may determine success or failure of a new service. In a near future, we might see web services compete with each other by improving and properly advertising their policies.

A major issue in moving towards such a policy-aware web is usability, that in turn has several facets. It is well known that as protection increases, usability is affected by the extra steps required for authentication and other operations related to access control. The information collected for security and privacy purposes extends the amount of sensitive information released by users while navigating the web. Moreover, it is frequently not clear to a common user which policy is actually applied by a system, and which are its consequences (cf.\ Virgin's case). Similarly, common users may find it difficult to formulate their own privacy requirements and compare them with whatever privacy policy is advertised by a web service.

The work on policies carried out within the network of excellence REWERSE has tackled these aspects by regarding policies as semantic markup. By regarding policies as pieces of machine understandable knowledge:

• it is possible to assist some of the operations related to access control and information release, thereby improving a user's navigation experience;
• it is easier to support attribute-based access control, that increases the level of privacy in online transactions;
• it is possible to create policy documentation automatically; in this way alignment is guaranteed between the policy enforced by the system and the policy documented in natural language for end users; moreover it is possible to specialize explanations to specific contexts (such as a particular transaction); this may help users to understand why a transaction fails (policy violation or technical problems?), how to get the permissions for obtaining a service, and so on;
• it is possible to create tools for verifying policies and more generally supporting policy authoring; other tools may help users to compare privacy policies and make (semi) automated policy-aware service selections.

In this project we have designed and implemented the policy framework Protune to incarnate the above ideas. Protune is meant to support the creation of policies and advanced policy enforcement points, supporting not only traditional access control but also trust negotiation (to automate security checks and privacy-aware information release) and second generation explanation facilities (to improve user awareness about---and control on---policies).