[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] Comments on draft 0.7
-----------------------------------------
Tim Moses
Tel:
613.270.3183
-----Original Message-----
From: Tim Moses [mailto:tim.moses@entrust.com]
Sent: Wednesday, November 28, 2001 10:32 AM
To: 'XACML'
Subject: [xacml] Comments on draft 0.7Colleagues - Here are my comments on draft 0.7 ...
Line 163 - Policies will commonly evaluate attributes of a principal, or set of principals, not merely its identity.
Line 165 - Allowing dynamic actions seems unnecessarily complicated. This section doesn't address the question of how a policy is bound to a saml authorization query. In the explanation of Figure 2, we say that policies are identified with the resource action and resource classification, meaning that this information is contained in the policy instance, and used to identify the policy, for purposes of locating, retrieving and verifying it. This solution is impacted if actions are dynamic.
Line 168 - PDPs may also execute some post-conditions.
Lines 179-181 - Figure 2 accommodates this requirement by identifying separate types for role, classification and environment attributes.
Section 3.2.3 - Figure two provides a solution without differentiating between expressions for principals, resources and environment. Some policies will require comparison between attributes of principals and attributes of resources. So, separating expressions for principals from expressions for resources does not seem helpful.
Line 187 - Contains a new definition for "role", vis "privileged position".
Section 3.2.5 - It is better to make the parameters attributes of the resource, not the action. Otherwise, a different solution for binding policy to the saml authorization query must be devised. In the example given, the resource can be the "withdrawal", with attribute "500,000", then the action can be "withdraw". The policy can then be bound to the resource "withdrawal" and the action "approve".
Line 243 and on - According to the explanation of Figure 2, rules must be logically combined in policy. They are not merely "listed". This removes any ambiguity about combining rules.
Line 300 - Dynamic conditions are accommodated in the model using "external functions".
Line 301 - Post conditions are accommodated in the model.
Line 302 - Content "introspection" is accommodated in the model for both XML documents and non-XML documents. In the former case, the resource attribute contains an XPath expression into a document of the specified type, it being implied that the instance referred to is the one identified by the saml authorization query. In the latter case, the resource attribute contains an XPath expression into a saml attribute assertion, probably issued by the PEP and containing attributes of, or values from, the resource.
Line 313 - This is dealt with in Figure 9.
Line 316 - Our ToC should contain a section in which the virtual machine is described.
-----------------------------------------
Tim Moses
Tel: 613.270.3183
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC