OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Policies with No Subject

Title: RE: Policies with No Subject

I was not at the F2F and did not hear the discussion, but I wouldn't think it to be too unreasonable to consider subject differently than location, time, and other policy variables. Along the same lines you could frame arguments that privilege and resource are not necessary. You can have a user or role that have access to all resources or can perform any kind of transaction with a particular resource. I think it is pretty well accepted that there are a lot (but not all) policies that refer to a subject and that makes it important enough to be considered as a required part of the policy language.

Ken Yagen
Director, Software Development
CrossLogix, Inc
www.crosslogix.com
 

-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Wednesday, September 19, 2001 2:26 PM
To: xacml@lists.oasis-open.org
Subject: Policies with No Subject


At the F2F I asserted that a policy could contain zero or more subjects. The
use of a policy with zero subjects was questioned. My answer was that if the
policy did not consider any information about a subject, there was no need
for a subject in the policy. For example, if the policy says the resource
can be accessed between 24:00 and 6:00, there is no need to specify a
subject.

At the meeting several people agreed that in a case like this, there would
still be a subject. There would be some kind of indicator that it applied to
all subjects, such as "*" or "ALL". I conceded this possibility at the time
and the discussion turned to other topics.

I now believe that this is illogical. I assume that policies can take as
inputs items such as the date and time, network location, method of
authentication and so on. Therefore, if a policy that does not consider
subject information must contain "all subjects" then logically a policy that
does not consider time must contain "all times", a policy that does not
consider location must contain "all locations" and so on.

This would obviously cause every policy to become encrusted with useless
junk. I think it is clearly much simpler to put into each policy just the
items that need to be evaluated and leave out the others. The point is that
I consider subject to be just one type of input that may or may not be used
for policy decisions.

Hal

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC