OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-dev] Re: [xacml-users] XACML 2.0 Conformance Tests Questions


IBM DataPower's PDP engine. I've done POC for this
product with Jaime Ryan who's an excelent source of
information for this product, so you can talk to him
to get more details.

We used IBM's XSLT extensions that can work with web
services or DB to resolve attributes, but it was done
before request hits the PDP.


--- Craig Forster <cforster@au1.ibm.com> wrote:

> Hi Oleg,
> 
> >> Sun's implementation has the concept of plugin
> that
> >> can be called from PDP and IBM's implementation
> >> doesn't (attributes must be resolved before a
> request
> >> hits their PDP). Still IBM states that they are
> XACML
> >> 2.0 compliant. What are you going to do about
> that?
> 
> What implementation are you referring to here?
> 
> Regards,
> Craig
> 
>
---------------------------------------------------------------
> Craig Forster
> Software Engineer
> IBM Australia Development Labs
> Argus ==
>
https://w3.webahead.ibm.com/w3ki/display/commonauthz/Home
> Blog ==
> http://blogs.tap.ibm.com/weblogs/craigforster/
>
---------------------------------------------------------------
> 
> 
>                                                     
>                                                     
>                         
>   From:       Oleg Gryb <oleg_gryb@yahoo.com>       
>                                                     
>                         
>                                                     
>                                                     
>                         
>   To:         Seth Proctor <Seth.Proctor@sun.com>   
>                                                     
>                         
>                                                     
>                                                     
>                         
>   Cc:         Ludwig Seitz <ludwig@sics.se>,
> xacml-dev@lists.oasis-open.org                      
>                                 
>                                                     
>                                                     
>                         
>   Date:       26/04/2008 07:22                      
>                                                     
>                         
>                                                     
>                                                     
>                         
>   Subject:    Re: [xacml-dev] Re: [xacml-users]
> XACML 2.0 Conformance Tests Questions               
>                              
>                                                     
>                                                     
>                         
> 
> 
> 
> 
> 
> 
> > > To summarize: I think it's a good idea to get
> all
> > > attributes resolved before request hits a PDP.
> >
> > The problem is that this is an impossible task. In
> > all but the most
> > closed and limited systems, it's a very hard task
> > (in general) to know
> > all attributes that will be useful for a given
> > request. How do you know
> > all attributes associated with the given user? How
> > do you know what
> > policies will apply to the request, which policies
> > will be referenced
> > as part of evaluation, and therefore which
> attribute
> > values will be
> > needed?
> 
> I think, I know at least one person who can answer
> all
> these questions: this person is a policy creator. If
> a
> policy creator can't answer the qs about how
> (subject,
> action, resource) vector (SAR) is mapped to
> attributes
> that are required to do authorization job, then I
> would not trust much to this policy creator or to
> her
> policies.
> 
> If you agree with this statement than the next step
> for policy creator is to feed that knowledge to PIP.
> It doesn't matter how/by whom PIP is called in this
> case: from PDP using a context handler or before PDP
> is called.
> 
> I think that interoperability between different PDP
> implementations is the most important feature that
> must be addressed by the standard. There are two
> grey
> areas  in XACML 2.0 that might make policy interop
> problematic:
> 
> 1. Definition of context handler
> 2. Definition of references
> 
> How a policy that uses references can be
> interoperable
>  if refernce resolution is vendor specific?
> 
> How policy that relies on missing attribute
> resolution
> made by PDP can be interoperable if it's not even
> clear from XACML 2.0 that such a mechanizm must
> exist.
> 
> Sun's implementation has the concept of plugin that
> can be called from PDP and IBM's implementation
> doesn't (attributes must be resolved before a
> request
> hits their PDP). Still IBM states that they are
> XACML
> 2.0 compliant. What are you going to do about that?
> 
> I think XACML 2.0 should clearly define a core (or
> mandatory) features that must be inteoperable
> between
> different vendors and extensions that might be
> vendor-specific. I think references and attribute
> resolution should fall to the second category. A
> policy creator must understand clearly that when an
> extension is used the solution will not be
> interoperable.
> 
> >
> > seth
> >
> >
>
---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > xacml-dev-unsubscribe@lists.oasis-open.org
> > For additional commands, e-mail:
> > xacml-dev-help@lists.oasis-open.org
> >
> >
> 
> 
> 
> 
>
____________________________________________________________________________________
> 
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile.  Try it now.
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> 
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> xacml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail:
> xacml-dev-help@lists.oasis-open.org
> 
> 
> 
> 
> 
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> xacml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail:
> xacml-dev-help@lists.oasis-open.org
> 
> 



      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]