Re: [xacml-dev] remote PDP

[Seth Proctor <Seth.Proctor@Sun.COM>]

On Fri, 2004-10-08 at 13:32, Bill Parducci wrote:
> Seth Proctor wrote:
> > Oh, ok. Then no, you can't share these with any PDPs. But by retrieving
> > only the specific attributes you need from an app, you're telling that
> > application some information about what's in those "secret" policies.
> > The only way to keep the policy completely secret is to have the app
> > send all possibly useful attributes up front. Unless you're not really
> > worried about leaking a little detail (which is true for many people).
> 
> doesn't this seem like an implementation issue? if the policies evaluate 
> attributes by definition they can't be hidden from the PDP. this does 
> not mean that all policy authors needs to be able to see all policies, 
> nor that policy authors can see the values of the attributes being 
> evaluated.

Of course it's an implementation detail...that's why we're discussing it
here :)

I guess my point is that there must be a reason why the policy is hidden
from the application. In many cases, this happens because the conditions
of the policy are supposed to be secret, known only to those who write
the policies. However, if an application is queried for all key
attributes that are needed by the policy, then the application can form
some information about what the policy says based on which attributes
are used for which requests. Does this matter to everyone? Definately
not. But, if you're worried about the secrecy of the policies, it may be
a concern.

I think the point you raise here is a good one, but I see it as a
separate issue. You can keep policies hidden from people and still allow
apps to grab them when they need to do internal evaluation. By keeping
the policies hidden from the apps themselves, it implies (to me) that
you don't trust the applications. If that's the case, then I wonder
about letting the apps supply attributes (as I said at the end of my
last email). Maybe I'm just being too paranoid (as usual)..

> 'secret' policies would seem to me to be policies that are not viewable 
> by all authors. in that situation my thinking is that the policy 
> editing/repository interface be given the responsibility for maintaining 
> security on the policies and that the PEP would send all relevant 
> attributes with the request. the PDP, having 'root-like' access to the 
> policies would evaluate *all* relevant polices and redner its decision.

Sure, and this is basically what I suggested. It's a burden, but make
the PEP send all possibly useful attributes. I think the use case here,
however, involves not sending those attributes from the start, which I'm
not sure can be easily reconciled.

> of course, this introduces the situation where someone not on the 'need 
> to know' policy author list might provide access to a resource 
> inadvertently as a result of writing a policy that does not evaluate the 
> entire scope of attributes.  in the absence of any sort of author 
> attribute in the policy, me thinks this could be best handled with some 
> sort of overarching policy that includes all sensitive resources with 
> reference to key attributes (at least that is how it reads in the 
> brochure ;o)

Heh. That brochure is one good read :)

You're definately onto an important issue: If I can't see the rest of
the system, how do understand how my policy effects the system? I think
the over-arching policy is a good start. I've been doing some other
thinking about this too, but as usual, I haven't had time to write it
all down yet. Someday..


seth