[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: FW: PDFs of glossary and bindings
Since XACML and SAML are supposed to have consistent glossaries, I am making comments on the recent Security Services glossary posting and attaching the glossary for the benefit of XACML folks. My comments are marked with =>. Access Control Decision ? The decision arrived at as a result of evaluating the requester's identity, the requested operation, and the requested resource in light of applicable security policy. (surprisingly enough, not explicitly defined in [10] ) => The above definition seems to leave out consideration of environmental factors, e.g. time, channel over which request was made or delivery required, etc. Your glossary would seem to call this Access Control Factors. Policy Decision - essentially synonymous with Access Control Decision. => For the purposes of security the above may be true, but for other things it is not, e.g. a policy language might express that packets from source X bound for destination Y be routed over Z or it might say ONLY packets from source X bound for destination Y MAY be routed over Z. I think this reflects what I see as the sometimes subtle difference between policy (i.e. you may, you should, you must, you may not, you should not, you must not), entitlement (i.e. you may) and access control (i.e. you may not). Separately, is the following true? Access Control Policy = Security Policy. If so, the Policy Decision is a superset of Access Control Decision not a synonym. BTW, I am getting the sense that the AC in XACML is a bad choice. Perhaps we should have used XP(olicy)ML instead. Assertion (a) A piece of data constituting a declaration of identity or authorizations. See also: credential. ? (b) "Data that is transferred to establish the claimed identity of an entity." [9] => This seems was too narrow a definition of Assertion, particularly if one is concerned with interoperable glossaries. Assertions can clearly be about many things. Attribute A distinct characteristic of an object... => Can't services or processes also have attributes? Or, does the glossary need a definition of object that includes service. Authorization Identity An authorization identity is one kind of access control factor. It is the name of the user or other entity that requests that operations be performed. Access control policies are often expressed in terms of authorization identities; e.g., entity X can perform operation Y on resource Z. => I believe the correct term above is "may" not "can", in that "can" actually denotes capability rather than permission. Capability A token that gives its holder the right to access a system resource. Possession of the token is accepted by the access control mechanism as proof that the holder has been authorized to access the resource named or indicated by the token. [12] => Shouldn't this be "capability token" or "capability assertion". After all, I may be capable of reading your medical record although I don't have permission, particularly if I'm a good hacker ;-) End User System Typically the combination of: an End User, plus the End User's computer, plus the browser running on that computer. => Isn't "browser" a bit too specific? It implies we are operating only in a Web world. Entitlement ? (a) A data structure containing Access Control Decision Information and/or access control policy rule information in a form usable by applications to, ... => Shouldn't this be "entitlement assertion" Policy Decision Point ? (a) A [system] entity that makes policy decisions for itself or for other system entities that request such decisions. [31] (b) Synonymous with Access Control Decision Function. [10] (c) Synonymous with AAA Server. => Couldn't an AAA Server include a PEP? In which case, an AAA is a superset of a PDP not a synonym. Finally, has anyone considered giving some of these terms grounding and reference from Webster's, OED, IETF, ISO specs or some other source within the body of the definition instead of using general endnotes? > -----Original Message----- > From: George_Robert_Blakley_III@tivoli.com > [mailto:George_Robert_Blakley_III@tivoli.com] > Sent: Friday, June 22, 2001 11:12 AM > To: security-services@lists.oasis-open.org; > security-editors@lists.oasis-open.org > Subject: PDFs of glossary and bindings > Importance: High > > > All, > > For those of you who prefer .pdf to .doc, I'm attaching the > .pdfs of the > current glossary draft and the bindings > specification for FTF #3. > > (See attached file: draft-sstc-ftf3-bindings-model-00.PDF) > (See attached file: draft-sstc-ftf3-glossary-00.PDF) > > --bob > > Bob Blakley (blakley@tivoli.com, regardless of what the email > headers may > say!) > Chief Scientist > Enterprise Solutions Unit > Tivoli Systems, Inc. (an IBM Company) > -----Original Message----- From: George_Robert_Blakley_III@tivoli.com [mailto:George_Robert_Blakley_III@tivoli.com] Sent: Friday, June 22, 2001 11:12 AM To: security-services@lists.oasis-open.org; security-editors@lists.oasis-open.org Subject: PDFs of glossary and bindings Importance: High All, For those of you who prefer .pdf to .doc, I'm attaching the .pdfs of the current glossary draft and the bindings specification for FTF #3. (See attached file: draft-sstc-ftf3-bindings-model-00.PDF) (See attached file: draft-sstc-ftf3-glossary-00.PDF) --bob Bob Blakley (blakley@tivoli.com, regardless of what the email headers may say!) Chief Scientist Enterprise Solutions Unit Tivoli Systems, Inc. (an IBM Company)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC