[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Minutes of 3 April 2001 Security Services TC telecon
Note, these are my personal opinions and have not yet be vetted by the XACML group. In reference to the embedded comment below "Darren, Irving support Eve: XACML is perhaps doing this stuff" and the question in http://lists.oasis-open.org/archives/security-services/200103/msg00101.htmlQ uestion "4: What is an Authorization Decision?" XACML is concerned with the representation of policy as per the response to "Question 8: Should SAML define a format for policy?" Which was the consensus is format is the job of XACML. Most definitely, the general format of the exchange should be XML "W3C has adopted an architectural principle that XML should be used for the syntax of Web formats unless there is a truly compelling reason not to (refer to "Assumed Syntax", by TBL). This principle allows broad applicability of generic XML tools and is more likely to lead to general protocol elements that are useful for multiple purposes." per http://www.w3.org/2001/04/13-tag. It would certainly be useful, but not required, that the detailed grammar of AuthZ assertions be similar or identical to some subset of XACML. It seems to be required that AuthZ assertions be minimally as expressive as XACML policy rule conclusions OR that input to the PDP be sufficiently complete that a yes/no answer is sufficient OR that the PEP and PDP can have a dialogue that allows the PDP to get more attribute assertions from the PEP. This however just changes the nexus of expressiveness to attribute assertions, e.g. Assume the PEP says to the PDP "Here's John with employee id 6934 and group human resource, he wants employee record 2001". Assume the PDP has a policy that says "Grant read to all members of human resources for all employee records so long as the requesting machine is within the human resource intranet." Assuming the PDP understands how to translate "intranet" it could say to a PEP "you can allow READ so long as the user has this IP MASK <some mask>". Note, the PDP has stripped out all policy except that necessary to make a final decision. In this case the PEP is also a PDP, but with no central policy store. (BTW, it is my opinion that there are at least two entities in a primary PDP, a policy store and a policy interpretation engine. If others agree, then we need to decide who should look at this issue the SAML group or the XACML group and should the distinction be made clear in SAML scope diagram). Alternatively, the PEP could have said "Here's John with employee id 6934, IP 63.56.25.25 and group human resource, he wants to READ employee record 2001." The PDP could then respond, "give him access". Another alternative would be for the PEP and PDP to engage in a dialogue so that the PDP can get all necessary attribute assertions prior to making a decision and then simply say "give him access". I think the mechanics of this are squarely within SAML (have fun with this one folks!;-). My opinion is you should support all three alternatives. And, we will definitely have to co-ordinate on the form of some assertions, be they attribute or AuthZ. Simon Y. Blackwell CTO Psoom, Inc. Voice & Fax: 415-762-9787 -----Original Message----- From: Eve L. Maler [mailto:eve.maler@east.sun.com] Sent: Friday, April 13, 2001 9:14 AM To: security-services@lists.oasis-open.org Subject: Re: Minutes of 3 April 2001 Security Services TC telecon One correction to the minutes of the last telecon: At 03:09 PM 4/6/01 -0400, Eve L. Maler wrote: >Minutes of the OASIS Security Services Technical Committee telecon >3 April 2001 >... > >Use Case subgroup issues >======================== >- Discuss authorization decisions: > >http://lists.oasis-open.org/archives/security-services/200103/msg00101.html > > Hal: the sticky part has to do with the response. How do we represent > what the question is? PEP-PDP case: If you can ask the question then > you can represent it, and can you use that for the answer? > > Phill: PDP needs to say something more than just yes or no. > There's a thread in the -core list on this. > There's an example in XKMS along this line. > Hopes to get another example out soon. > > summary (Hal): There's a simple, common case(s) that we can optimize. > > Eve: authz decision assertion -- what all does it contain, that's the > question. > > DaveO: We're getting into an area that's controversial and complex. > Maybe we should leave for a later version of SAML. Likes the idea of > keeping things simple at this point and doing just "yes"/"no" at > this time. Content negotiation in HTTP and difficulties thereof is > an example of the complex stuff. > > Phill: seconds that, content negotiation was not implemented correctly > across implementations. > > Eve: Sounds like the concern is legitimate. > > Phill: Wants to avoid an elaborate choreography, but a bit more than > yes/no might be workable. E.g., the "respond" element from XKMS that > he's waved around in the Core subgroup. A rules-based engine ought > to be able to return more than yes/no. Can only really standardize what > the intersection is of all the models. > > > Hal: Pose question to group "is it NOT worth our time to try to propose > specific stuff in this area?" > > Eve: Thinking along DaveO's lines that we shouldn't go down this path. > > Darren, Irving support Eve: XACML is perhaps doing this stuff. > > Eve: burden of proof is on those who can produce scenarios where simple > yes/no answers aren't sufficient. > > ? - an example is scaling issues in database apps -- ask for yes/no on > each item in a large result set? This was Ken Yagen. ... >Attendance >========== >MEMBERS >Stephen Farrell Baltimore >Patrick McLaughlin Baltimore >Irving Reid Baltimore >Alex Ceponkus Bowstreet >Krishna Sankar Cisco Add Ken Yagen of CrossLogix. >Brian Eisenburg DataChannel >Hal Lockhart Entegrity >Carlisle Adams Entrust >Alex Berson Entrust >Bob Griffin Entrust >Tim Moses Entrust >Ed Simon Entrust >Nigel Edwards HP >Joe Pato HP >Jason Rouault HP >Maryann Hondo IBM >David Orchard Jamcracker >Gilbert Pilz Jamcracker >Alan Brown MS >Marc Chanliau Netegrity >Prateek Mishra Netegrity >Adam Prishtina Netscape >Jeff Hodges Oblix >Charles Knouse Oblix >Steve Anderson OpenNetwork >Duane Hamilton OpenNetwork >Michael Lyons OpenNetwork >Mark Griesi OpenNetworks >Eric Olden Securant >Darren Platt Securant >Eve Maler Sun >Ron Monzillo Sun >Aravindan Ranganathan Sun >Mark Vandenwauver Tivoli >Ron Williams Tivoli >Bob Morgan UWashington >Warwick Ford Verisign >Philip Hallam-Baker Verisign >Thane Plambeck Verisign >Jeremy Epstein webMethods -- Eve Maler +1 781 442 3190 Sun Microsystems XML Technology Development eve.maler @ east.sun.com ------------------------------------------------------------------ To unsubscribe from this elist send a message with the single word "unsubscribe" in the body to: security-services-request@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC