Re: [xacml-dev] remote PDP

[Bill Parducci <bparducci@gluecode.com>]

Seth Proctor wrote:
> Oh, ok. Then no, you can't share these with any PDPs. But by retrieving
> only the specific attributes you need from an app, you're telling that
> application some information about what's in those "secret" policies.
> The only way to keep the policy completely secret is to have the app
> send all possibly useful attributes up front. Unless you're not really
> worried about leaking a little detail (which is true for many people).

doesn't this seem like an implementation issue? if the policies evaluate 
attributes by definition they can't be hidden from the PDP. this does 
not mean that all policy authors needs to be able to see all policies, 
nor that policy authors can see the values of the attributes being 
evaluated.

'secret' policies would seem to me to be policies that are not viewable 
by all authors. in that situation my thinking is that the policy 
editing/repository interface be given the responsibility for maintaining 
security on the policies and that the PEP would send all relevant 
attributes with the request. the PDP, having 'root-like' access to the 
policies would evaluate *all* relevant polices and redner its decision.

of course, this introduces the situation where someone not on the 'need 
to know' policy author list might provide access to a resource 
inadvertently as a result of writing a policy that does not evaluate the 
entire scope of attributes.  in the absence of any sort of author 
attribute in the policy, me thinks this could be best handled with some 
sort of overarching policy that includes all sensitive resources with 
reference to key attributes (at least that is how it reads in the 
brochure ;o)

b