[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-dev] XACML X.509 support
I will try to answer from the standard prospective - I am sure that people familiar with the particular implementation you work with will fill in. How the information gets into context handler and how its consistency is insured -- transport layer security, digital signatures, -- is outside of the scope for the XACML standard. It is expected that a particular implementation takes care of this - there are plenty of good tools to choose from. Environments where XACML can be used are too diverse. D; -----Original Message----- From: Mine Altunay [mailto:maltuna@ncsu.edu] Sent: Tuesday, February 22, 2005 11:22 AM To: xacml@lists.oasis-open.org Cc: sunxacml-discuss@lists.sourceforge.net; xacml-dev mailing list Subject: [xacml-dev] XACML X.509 support Hi all How does a PDP verifies the validity/legitimacy of claimed attributes in a given request. For example, a subject attribute may claim that the user is a member of a developer group. Then, PDP would evaluate this information and decides the appropriate access decision for the "developers". However, how does the PDP verify that the said subject does indeed a member of the claimed group? What I see from PDP and request examples is that a request does not carry such proofs such as Attribute credentials or identity credentials. However,lack of such a support makes the authz process very naive, vulnerable against malicious users. Additionally, I am working with an identity-based authz system that relies on x.509 credentials. Therefore, for my PDP it is important not only to get an access decision, but also to verify that the subject does indeed have a valid certificate (or ACs or whatever the policy calls). Right now, I am using the xacml X500NameAttribute, however, it does not really prove that this subject indeed has an issued certificate.(I am naively passing the DN and hoping that the user is honest with it) If you could point me ways to provide such a verification in my xacml framework, I would be grateful. Also, do you see this verification problem as out of the xacml scope or is there already support in existing xacml framework that perhaps I am missing PS: I also thought about external means to send the certificate after the authz process but it is costly and redundant. Thank you all -- Mine Altunay PhD student, Computer Engineering Dept, NC State Univ Phone: (919) 395 2789 E-Mail:maltuna@ncsu.edu
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]