[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Resource sets and resource string semantics
Hi Hal, I should have made it more clear that I am worring about the kind of interaction that make take place between an Attribute Authority and a PDP, rather than a PDP and a PEP. Sorry about that, Nigel. > -----Original Message----- > From: Hal Lockhart [mailto:hal.lockhart@entegrity.com] > Sent: 04 May 2001 16:56 > To: 'Edwards, Nigel'; security-services@lists.oasis-open.org > Subject: RE: Resource sets and resource string semantics > > > Nigel, > > > The intent of this assertion is to specify authorizations associated > > with Alice's account. > > > > Suppose I want to issue an assertion allowing Alice to access all > > resources on a large web site with a dynamic resource set, > > e.g. http://www.hp.com/ > > > > Clearly it is not possible to enumerate the entire resource set. So > > how do we handle this case? > > > > It occurs to me that some may feel that this sort of > assertion should > > be considered by XACML, rather than SAML. I guess one possible > > resolution is to leave it to XACML. > > I don't understand the use case you have in mind. SAML is not a policy > provisioning protocol. What sort of request might Alice have > made to suggest > to the PEP that she might want to access all of www.hp.com? > In the normal > case, there will be thousands of pages she can access and > thousands she > cannot. Even with a really general language to express > resources, e.g. reg > exp, It's going to be a long list. > > It sounds to me that what you really ought to do is operate a > PDP, which > receives Attribute Assertions (and perhaps Authorization > Assertions) and > makes a decision whether to allow access. A PEP is supposed > to be quite > simple. > > > A related issue is the semantics of resource strings. I believe we > > need to define what these are. Suppose one of the > <Resource> elements > > contains the following: http://www.hp.com/ > > > > What are the semantics: the home page or everything under it? > > In my opinion > > serious security issues will arise if the asserting party > and relying > > party apply different semantics. > > Certainly this is something that the specification should > make unambigious. > > Hal > > ------------------------------------------------------------------ > To unsubscribe from this elist send a message with the single word > "unsubscribe" in the body to: > security-services-request@lists.oasis-open.org >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC