OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] We resolve ...

Hi

>  Should Hal and I interpret the silence to mean that everyone is ready
> to vote in favour of Tim's proposals? 

i agree with the fact that the current proposal is able to implement the 
global deny scenario. no doubt about that: if you restrictions (i.e., the 
deny you want to enforce) ANDED with the other possible policies nobody 
will be able to overrule your restrictions.

the reason why i am not too excited with the current proposal is that it 
seems perfectly fine for communicating policies, but it seems complex to 
manage. 

first of all you have to make sure that the applicable policy is in a 
single place (sure possibly using URL of other policies) but you cannot 
allow overlapping targets (which seemed to be the case till now, i 
believe). 

second the priority of your rules is explicitely managed with the policy 
definition, which may make adminitration heavy. Who is in charge of 
specifying the applicable policy? This will be the only one able to 
specify global deny: if understand Tim/Anne's proposals correctly 
possible negative authorizations in other policies have the effect only 
within that policy (this is fine with me, it seems conceptually clean).

Now for instance, suppose you want to enforce a situation in which any of 
us can grant authorizations and, possibly denials, for some access and 
a denial-take-precedence policy should be enforced (meaning it sufficient 
that one of us says "deny (because of a negative authorization), and the 
access should be rejected. How do you enforce this? You cannot have the 
different administrators operate on the applicable policy (meaning 
actually have writing privilege on that document).

I am not sure i will be in for the concall (if i can i will stay for the
beginning). I have already talked to Ernesto will participate.  The plan
should be go over the issue to see champions and prepare for the F2F. If
time allows discuss Anne/Tim's proposals and maybe postconditions, which
were never discussed in details.

best
-p
P.S., Simon have you circulated the alternative approach we talked about 
in the last concall?

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC