OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml] Obligations


you make a good point, however, i for one am not suggesting that the PEP 
*perform* all obligations to effect a grant. what i have proposed is 
that the PEP must *understand* the obligations to do so. to use your 
example this means that the PEP must know what "delete record after 60 
days" means to allow access. to my mind, a lack of understanding on teh 
part of the PEP is clearly an ERROR condition, and that will most 
certainly result in a deny.

b


Polar Humenn wrote:
> I don't like the proposal that if the PEP cannot perform all intended
> obligations on a Permit that the access decision should be "Deny".
> 
> It really begs the question of the PDP knowing what the PEP can or cannot
> fulfill in its policy evaluation, because it implies that if the
> obligation cannot be fulfilled by the PEP, that according to the proposal,
> it is actually really a Deny.
> 
> Even leaving the PDP out of it, the PEP may not know if it could fulfill
> any operations until the PEP actually tries it. In simplist scenario, the
> obligation may not even terminate, or may be something like "delete record
> after 60 days" as has been pointed out.
> 
> I think there may solution for that problem which is illustrated in a
> paper by Nafty Minsky. It's quite old, 1985, but might be to the point.
> The citation is below. I'll put the approach in our context:
> 
> Since the PDP is asked by the PEP for a specific access request, we might
> want the PEP (or some other entity under control of the PEP) to keep track
> of enacted obligations and make sure that they are fulfiled.
> 
> Obligations have the form of a triple of (deed,deadline,saction) where the
> semantics are to the PEP: The obligation says that the deed must be
> fullfilled by the deadline, or else the sanction will be executed (i.e.
> rectifying the situation). No, the sanction cannot be "deny".
> 
> You have to take the following philosophy:
> 
> Access has been granted with certain obligations and if obligations are
> not fullfiled (by the deadline), then something is done to rectify the
> situation, i.e. possibly: for being granted access some punishment is upon
> you for not fullfilling the obligations.
> 
> This approach allows the PDP to tell the PEP what to do in the event that
> the PEP cannot enforce the obligations to be met, within some time frame,
> instead trying to figure out whether obligations like (delete record in 60
> days) can be fullfiled.
> 
> The Citation. It is avalable off of the ACM Portal.
> 
> Proceedings of the 8th international conference on Software engineering
> 1985 , London, England
> 
>   Ensuring integrity by adding obligations to privileges
> 
>   Authors
>     Naftaly H. Minsky
>     Abe D. Lockman
> 
>   Sponsors
>     IEEE-CS : Computer Society
>     SIGSOFT : ACM Special Interest Group on Software Engineering
> 
>   Publisher
>    IEEE Computer Society Press   Los Alamitos, CA, USA
> 
>     Pages: 92 - 102  Proceeding-Article
>     Year of Publication: 1985
>     ISBN:0-8186-0620-7
> 
> 
> Cheers,
> -Polar
> 
> 
> 
> 
> 
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
> 




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC