OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: FW: proposed XACML Domain Model + Scope

All members should make sure to review Gilbert's document prior to the call
on Thursday. Here are my comments:

First and foremost, thanks for producing this Gilbert!

In answer to the question "Should the Policy Decision Point be in scope for
XACML?". Yes. Although I had not initially envisioned the PDP as part of our
scope, I think we need to make it in scope as a matter of practicality.
Forming yet another TC seems like a bad idea and until the PDP is in scope
for someone, the policy language won't be used. This is similar to the
access protocol question that came up earlier.

The definition of Authorization Decision Assertions: "Assertions that
correspond to the result of an authorization decision. Such assertions must
contain the binary result of the decision (permitted/not permitted) and may
contain additional "advisory" information that serves to act as an
explanation for the decision" appears inadequate. Based on examples from
SAML and at least what I envision being produced by a PDP the authorization
decision will include the operation that is permitted, e.g. read, write,
provision, execute, provision, use, etc.

We need a definition for Authorization Attributes before we can address the
concern "I am disturbed about the fact that Authorization Attributes appear
in Figure 1 but don't appear in Figure 2. Are there attributes who's schema
are likely to closely coupled with the Authorization Policies defined within
the security domain? Does the definition of these attributes then fall
within the scope of XACML?"

-----Original Message-----
From: Pilz, Gilbert [mailto:gpilz@jamcracker.com]
Sent: Thursday, June 07, 2001 6:08 PM
To: 'xacml@lists.oasis-open.org'
Cc: security-services@lists.oasis-open.org
Subject: proposed XACML Domain Model


Attached is my strawman proposal for the XACML Domain Model. Basically it is
just a reference to the SAML Domain Model with some changes and additions.

 <<draft-xtc-use-domain-01.doc>> 

--
 <<Gilbert Pilz.vcf>>

draft-xtc-use-domain-01.doc

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC