Re: [xacml-dev] Re: [xacml-users] XACML 2.0 Conformance Tests Questions

[Oleg Gryb <oleg_gryb@yahoo.com>]

Ludwig,

Thanks for the answer, it's very helpful. I still have
qs on multiple subjects and context handler.

1. Context Handler.
-------------------
It looks like you consider context handler ability to
fetch additional attributes as a mandatory XACML 2.0
feature, but the only requirement to context handler
that I found was this:

"...the context handler is responsible for obtaining
and supplying the requested values by
whatever means it deems appropriate."

In general "whatever" is not a very good specification
if you look at it from implementation point of view
and it doesn't mean at all that context handler MUST
have a mechanizm for resolving attributes that are
missing in request. I can say that my "whatever"
mechanizm is to look for attributes in request message
only. That's why I think that IIA002 should be
probably included to PIP/PEP tests, not to PDP tests.

2. Multiple Subjects in Request.
---------------------
I think my qs was rather about understanding of
concept  of multiple subjects in request than about
evaluating algorithm. I actually think that evaluating
algorithm in 7.5 doesn't match well intentions
described in non-normative section 2.4. 

Let us look at example that you have: 3 subjects and
only one of them matches <SaubjectMatch>. Decision
"Permit" means that ALL subjects are authorized to
have an access to the resource (does it?). Looks like
a potential security breach to me, becuase I can add
100 more subjects with different categories to this
request and they all will be granted a permission to
the resource too.

Thanks again,
Oleg.

--- Ludwig Seitz <ludwig@sics.se> wrote:

> 
> On Tue, 2008-04-22 at 11:07 -0700, Oleg Gryb wrote:
> > Hi,
> > 
> > I've a question about XACML 2.0 conformance tests
> that
> > are published here:
> >
>
http://www.oasis-open.org/committees/download.php/14846/xacml2.0-ct-v.0.4.zip
> > 
> > This test suite is a great asset for those who
> wants
> > to evaluate their PDP implementations. I
> found/fixed a
> > great many bugs in my own XACMLight
> > (http://sourceforge.net/projects/xacmllight)
> > implementation, however there are few tests from
> > mandatory suite that I want to ask you about. They
> > are:
> > 
> > 1. IIA002Request.xml
> 
> Check the IIA002Special.txt file included in the
> test suite.
> 
> > 2. IIB010Request.xml
> > 3. IIB021Request.xml
> > 4. IIB028Request.xml
> > 5. IIB037Request.xml
> 
> 
> > In #4 and #2 the multiple subjects are used in the
> > request. When I read XACML 2.0's section 2.4, I
> got an
> > impression that if multiple subjects are provided
> in
> > request, ALL of them must be evaluated and matched
> > against a SubjectMatch in the policy, because
> access
> > is granted to all of them or to none of them. In
> #4
> > and #2 only one subject is matched against target,
> but
> > suggested response for both cases is "Permit". I
> think
> > it should be "NotApplicable" in both cases.
> 
> No you got that wrong. Read section 7.5 on how
> SubjectMatch
> is evaluated.
> 
> > 
> > in #5 and #3 the <Condition> is missing. According
> to
> > XACML 2.0 the rule with missing condition should
> be
> > evaluated to "true". Since Target is matched by
> > request in both cases the decision should be
> "Permit",
> > but the suggested decision is "NotApplicable".
> 
> The target in #3 is not matched in the subject part,
> since the attribute issuer in the request is:
>
Issuer="http://www.medico.com/certification-authority";
> 
> and the required issuer in the policy is:
> Issuer="http://www.medico.com";
> 
> In #5 again the issuer is different (this time in
> the Resource section)
>
Issuer="http://www.medico.com/Certification-Authority";
> for the policy
> and Issuer="http://www.medico.com/Cert-Auth"; for the
> request.
> 
> 
> Cheers,
> 
> Ludwig Seitz
> 
> -- 
> Ludwig Seitz
> Ph.D., Researcher
> Security, Policy and Trust Laboratory (SPOT)
> Swedish Institute of Computer Science (SICS)
> homepage: http://www.sics.se/~ludwig
> 
> 
> 
> 
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> xacml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail:
> xacml-dev-help@lists.oasis-open.org
> 
> 



      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ