OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [xacml] Version 0.7


Title: RE: [xacml] Version 0.7

Michiharu - Regarding point 1 ...

Here is my understanding.  It is the responsibility of the PDP to ensure that internal post-conditions are executed successfully before it may return a "permit" saml status code.  Whether it achieves this by means of a local or remote function is not important.  As currently proposed, the function that it performs is described in wsdl.  However, it is an entirely private matter whether it actually uses a Web service with an interface described in wsdl, or some other means to achieve the required end.  Wsdl is merely used as a standard interface definition.

Regarding point 2 ...

You propose adding a capability-style model, in addition to the access-control-style model that is currently described.  It was my understanding that we decided to avoid the capability-style of model early on.  However, even if my recollection is correct, it is possible that we made that decision without full consideration of the consequences.  So, I have included the topic in the list of issues for discussion on Monday.

All the best.  Tim.

-----------------------------------------
Tim Moses
Tel: 613.270.3183


-----Original Message-----
From: Michiharu Kudoh [mailto:KUDO@jp.ibm.com]
Sent: Friday, November 30, 2001 3:28 AM
To: Tim Moses <tim.moses
Cc: xacml@lists.oasis-open.org
Subject: Re: [xacml] Version 0.7



Here are my comments on draft 0.7.

Figure 1 - Data-flow diagram has an arrow 7 that is outgoing from PDP to
Web service. I thought that the internal post-condition is consumed only in
the PDP (e.g. as internal access history). This arrow does not match the
description of line 146-151. Are there specific use case of Web service
that requires internal post-conditions?

Line 131-136 - Are resource classification and the requested action enough
to identify the applicable policy? I agree that in most cases the resource
classification and the requested action are used. But there is the case
that the applicable policies are classified by subject attribute, for
example, the policy for US citizens and the policy for not US citizens. In
that case, there may be no need for specifying any resource classification.
Thus , my suggestion is to add something like "principalClassification" to
the "applicability" element and changes minOccurs attribute to "0" for all
element under "applicability".

regards,
Michiharu Kudo


From: Tim Moses <tim.moses@entrust.com> on 2001/11/28 01:28

Please respond to Tim Moses <tim.moses@entrust.com>

To:   "'XACML'" <xacml@lists.oasis-open.org>
cc:
Subject:  [xacml] Version 0.7





Colleagues - Here is version 0.7, as we decided yesterday.  All the best.
Tim.

-----------------------------------------
Tim Moses
Tel: 613.270.3183






----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC