XACML X.509 support

["Mine Altunay" <maltuna@ncsu.edu>]

Hi all

How does a PDP verifies the validity/legitimacy of claimed attributes in a
given request. For example, a subject attribute may claim that the user is
a member of a developer group. Then, PDP would evaluate this information
and decides the appropriate access decision for the "developers". However,
how does the PDP verify that the said subject does indeed a member of the
claimed group? What I see from PDP and request examples is that a request
does not carry such proofs such as Attribute credentials or identity
credentials.

However,lack of such a support makes the authz process very naive,
vulnerable against malicious users.

Additionally, I am working with an identity-based authz system that relies
on x.509 credentials. Therefore, for my PDP it is important not only to
get an access decision, but also to verify that the subject does indeed
have a valid certificate (or ACs or whatever the policy calls). Right now,
I am using the xacml X500NameAttribute, however, it does not really prove
that this subject indeed has an issued certificate.(I am naively passing
the DN and hoping that the user is honest with it)

If you could point me ways to provide such a verification in my xacml
framework, I would be grateful.

Also, do you see this verification problem as out of the xacml scope or is
there already support in existing xacml framework that perhaps I am
missing

PS: I also thought about external means to send the certificate after the
authz process but it is costly and redundant.
Thank you all

-- 
Mine Altunay
PhD student,
Computer Engineering Dept, NC State Univ
Phone: (919) 395 2789
E-Mail:maltuna@ncsu.edu