OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: XACML TC Charter Revision - Strawman


Bill,

I wrote,
> > For example, you will ask "Can Joe access x?" and you will get
> > the answer "Yes, joe can access X", but the fact of the 
> matter is the same
> > request would get a different answer 1 sec later. Also 
> perhaps it didn't
> > even matter that it was Joe. Probably for accountability 
> purposes that is
> > good enough, but I continue to be concerned that the 
> assertion will be
> > wrongly construed.

you wrote,
> if i understand this correctly, the only methods by which 
> such apparent
> capriciousness can be avoided are:
> 
> (a) require each request to contain all information necessary 
> to form a
> decision

I don't think (a) is a practical possibility. It either requires the PEP to
understand the policies that apply (which seems an undesirable lack of
encapsulation) or for the PEP to provide all possible evidence with every
request. I don't think this is feasible from a performance standpoint in a
distributed environment. It also leads to behavior which is unacceptable
from a user's point of view, for example, requiring unnecessary
Authentication.
 
> or
> 
> (b) provide all information involved in the decision regardless of the
> contents of the request

This is what I had in mind.

> practical issues aside, in either situation i can see 
> potential security
> issues in that all aspects of the Authorization Decision must be
> divulged externally. 

Assuming (b) I would be interested in understanding your specific concerns.
Certainly integrity and confidentiality of the assertion can be provided if
required. 

There is a principle in an Authentication situation to avoid giving away
information that would assist an attacker. However, I am not aware of a
similar concern in the context of Authorization. In fact, it is frequently a
requirement to accompany a negative response with an indicatication of how a
user might be allowed access, for example by reauthenticating with a
"stronger" method.

In the case of a positive response, I see no issue with informing the PEP
(or subsequently a court of law) what criteria were used.

Hal



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC