Re: [xacml-dev] remote PDP

[Seth Proctor <Seth.Proctor@Sun.COM>]

On Fri, 2004-10-08 at 14:03, Bill Parducci wrote:
> > I guess my point is that there must be a reason why the policy is hidden
> > from the application. In many cases, this happens because the conditions
> > of the policy are supposed to be secret, known only to those who write
> > the policies. However, if an application is queried for all key
> > attributes that are needed by the policy, then the application can form
> > some information about what the policy says based on which attributes
> > are used for which requests. Does this matter to everyone? Definately
> > not. But, if you're worried about the secrecy of the policies, it may be
> > a concern.
> 
> i guess i can't think of a situation where you would hide your policies 
> from 'applications'. what applications, the PEP? what else would talk to 
> a PDP? so if the answer is nothing, then the problem becomes how to deal 
> with untrustworthy (or vriable trustworthiness) PEPs? the only way you 
> could handle that that i can think of is to put a 'trustworthy' PEP 
> between your 'remote' PEPs and the (central) PDP so as to filter requests.

Well, my comments are based on the original use case. I asked about
securing the policies but making them available to PDPs embedded in the
applications, and was told that the applications (ie, the PEPs) are not
allowed to see the policies. They are kept completely secret, available
only to the author and the evaluating PDP.

I also can't think of too many situations where you care about hiding
policies from select applications, especially when those applications
are trusted to supply attributes used in the decision process.
Apparently, however, this case has that propoerty. Given that, I think
I'd need to know more about the trust model to understand how to protect
things correctly. At the end of the evaluation, the PEP is controlling
access to data, so if it wants to game the system it seems to me that
it's the app's loss :)


seth