OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] Obligations: How can they be used?



Hi Michael.

On Thu, 2004-10-28 at 08:18, XACML@arctis wrote:
> When experimenting with SUN's implementation, I have problems to get the
> basic idea of the structure of an obligation. The XACML1.0 standard does not
> tell very much about this, and I found (at least no positive) answers in the
> mailing lists.

FYI, there is a discussion list specific to the SunXACML implementation,
though I think you probably found it given your comment about mailing
lists. I know this is a general question, but I wanted to let you know
about the project-specific list, in case you hadn't found it yet..

> 1st: 
> I expected that an obligation can carry any internal structure like
> 
>         <Obligation  ObligationId="TESTPERMIT1" FulfillOn="Permit">
>           <enyryptFor>C=A, O=arctis, OU=R&D, CN=Michael Breu</enyryptFor>
>         </Obligation>
> 
> However I see no way to express something like this, unless I encode it with
> fairly complex AttributeAssignments. Is this right?

An Obligation consists of AttributeAssignments, that's correct. But
AttributeAssignments are just AttributeValues, so there's nothing too
complex about that. You can put anything you like in an AttributeValue.
The reason for this structure is to provide "parameters" in an
Obligation.

> 2nd: Is there any way to make obligations dynamic? E.g. bringing in data
> from the target or the resource?
> 
> I would like to express something like: "The response for the web service
> call must be encrypted for the person that sent the call"
> 
> e.g.
>   <Obligation  ObligationId="TESTPERMIT2" FulfillOn="Permit">
>     <AttributeAssignment  AttributeId="EncryptObligation"
> DataType="http://www.w3.org/2001/XMLSchema#anyURI";>
>       <SubjectAttributeDesignator
>           AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
>           DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>  
>      </AttributeAssignment>
>    </Obligation>
> 
> Any ideas how to express this in a XACML policy?

There are two issues. The first is where these values get resolved, and
the second is the datatype. To the first point, the XACML spec is
explicit that the PDP may not operate on the contents of an Obligation.
So, you can write something like you've got here, but it's the PEP (or
some other entity) that does the resoltion. In other words, this is not
part of what the PDP does, so don't expect the Designator to get
resolved for you :)

To the second point, an AttributeAssignment is an AttributeValue. As
such, its contents must be legal for the given datatype. What you've got
above lists the datatype as a URI, but the contents of the Assignment is
not a URI. You either need to make this a string, and escpae all the
tags so it doesn't look like complex content, or you need to come up
with some other datatype to support your content.


seth



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]