[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: XACML support systems ? Use cases and dilemmas
Hello After having read the last weeks email on the list, I'm thinking hard. I see that we have a dilemma here: 1. XML is easy readable by humans and machines. 2. It is an open text format 3. We are talking about an Access Control description for an open, text based standard, readable for everyone... We need some use cases ASAP. Use case 1: 1. Person receives (or intercept) XML document. 2. Person opens XML document in Notepad 3. Person reads the full document (incl. the XACML list in the beginning of the email, wondering who is going to hit him on the head for violating the access rights escribed there, since notepad definately doesnt) This use case is the most simple description of our main dilemma. Use case 2: 1. Person request access to XML document on web-server 2. Web server will lookup into its access control mechanism to see if the resource requested is protected. These kind of mechanism are depending on the web-server, OS, etc. 3. Web-server will follow the HTTP standard for requesting username and password, if the resource is proteced. This usecase describes another dilemma: XML documents are normally protected by the devices delivering them. In this case on the file level, since web-servers doesnt know the structure of XML documents Use case 3: 1. Person request XML data from a database 2. The DBMS will use the build in access control mechanism to see if the resource is protected, and go along according to these rules. 3. DBMS will use its mechanism for requesting username and password Secuting access rights is about Authentication and Authorization. (Remember the Kerberos ?) I see that XACML should deal with Authorization (who can see what), and it must be linked to Authentication (who is who?). And then we will have to link XACML to access mechanisms enforcing the XACML policies, since XML itself is an open text format. And this is the big task. There will allways be non-XACML compatible devices (such as e.g. Notepad or emacs), that will happily grant the user access to the full text file, since that is how these tools view XML - as text files. And there will be a lot of XML delivery mechanisms (web-servers, databases, file systems etc), that will happily ignore the XACML header (if that is what it will be), again since XML documents essentially are text files (sequential collection of unicode characters). And then we need to look at LDAP and Kerberos, since I believe that these standards are very near to the models that we need. Happy flying Jens Jakob
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC