[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: XACML TC Charter Revision - Strawman
Hi Hal,
----------
From: Hal Lockhart[SMTP:hal.lockhart@entegrity.com]
Sent: Monday, June 11, 2001 4:02 PM
To: 'Simon Y. Blackwell'; 'xacml@lists.oasis-open.org'
Subject: RE: XACML TC Charter Revision - Strawman
In summary here are the four cells as I see them:
Allowed Denied
----------------------------------------------------------------------------
----------
| |
Inform PEP | SAML Requirement | Useful if condition can be
changed
| |
----------------------------------------------------------------------------
----------
| |
Inform Subject | Harmless | Possibly Risky
| |
----------------------------------------------------------------------------
-----------
Good summary. I have a couple of comments.
Firstly, I don't know if the top left quadrant is actually a SAML requirement. Certainly, there is interest in being able to send the justification for an "allowed" decision (along with the actual decision), but I don't recall this actually being mandated (especially since it has been agreed that very, very simple PEPs must be supported). In any case, I certainly agree that it might be useful to allow the PDP to send the justification for both allowed and denied to the PEP. So, I'd change the first cell to "May be useful for auditing purposes" and leave the second cell as-is (or perhaps add "May be useful for auditing purposes" to what you have).
The bottom row, however, should perhaps not be labeled "Inform Subject", but rather "Inform everyone else" (since I doubt that people are thinking of encrypting this policy information for the subject, for example). Once we think of it as "Inform everyone else", then I think that both cells should be labeled "Possibly Risky". Exposing the reasoning behind the PDP decision (whether the decision is "allowed" or "denied") gives information to a third party as to what they can try themselves in order to get an "allowed" decision.
In short, there may be value in sharing this information (confidentially) with a PEP, but I see little value (and potential harm) is sharing this information with the rest of the world. An SSL-protected session between the PDP and the PEP might seem like a reasonable solution, but this leaves the information exposed at the PEP site once it exits the SSL pipe (similar to SSL-protected credit card numbers today). Therefore, the proper solution may be to encrypt the information for the PEP within the SAML response message or decision assertion.
Carlisle.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC