Re: [xacml] Obligations

[Polar Humenn <polar@syr.edu>]

On Mon, 25 Feb 2002, Simon Godik wrote:

> In this model (deed, deadline, sanction) what party is taking on
> responsibility on applying sanction?

I would imagine the same entity that needs to check that the obligation
has been fulfilled. It is advice to the PEP, just as is the obligation.

Obligations (so far) are unwieldy things in that you don't know if the PEP
is to fullfill them, or the PEP orders them to be fulfilled by a
particluar party, or the PEP orders them to be fulfilled by anybody.

So, I guess you might name the party responsible for carrying out the
obligation as well as the party to carry out the sanction.

-Polar


>
> Simon
>
> ----- Original Message -----
> From: "Polar Humenn" <polar@syr.edu>
> To: "XACML" <xacml@lists.oasis-open.org>
> Sent: Monday, February 25, 2002 6:45 AM
> Subject: [xacml] Obligations
>
>
> >
> > I don't like the proposal that if the PEP cannot perform all intended
> > obligations on a Permit that the access decision should be "Deny".
> >
> > It really begs the question of the PDP knowing what the PEP can or cannot
> > fulfill in its policy evaluation, because it implies that if the
> > obligation cannot be fulfilled by the PEP, that according to the proposal,
> > it is actually really a Deny.
> >
> > Even leaving the PDP out of it, the PEP may not know if it could fulfill
> > any operations until the PEP actually tries it. In simplist scenario, the
> > obligation may not even terminate, or may be something like "delete record
> > after 60 days" as has been pointed out.
> >
> > I think there may solution for that problem which is illustrated in a
> > paper by Nafty Minsky. It's quite old, 1985, but might be to the point.
> > The citation is below. I'll put the approach in our context:
> >
> > Since the PDP is asked by the PEP for a specific access request, we might
> > want the PEP (or some other entity under control of the PEP) to keep track
> > of enacted obligations and make sure that they are fulfiled.
> >
> > Obligations have the form of a triple of (deed,deadline,saction) where the
> > semantics are to the PEP: The obligation says that the deed must be
> > fullfilled by the deadline, or else the sanction will be executed (i.e.
> > rectifying the situation). No, the sanction cannot be "deny".
> >
> > You have to take the following philosophy:
> >
> > Access has been granted with certain obligations and if obligations are
> > not fullfiled (by the deadline), then something is done to rectify the
> > situation, i.e. possibly: for being granted access some punishment is upon
> > you for not fullfilling the obligations.
> >
> > This approach allows the PDP to tell the PEP what to do in the event that
> > the PEP cannot enforce the obligations to be met, within some time frame,
> > instead trying to figure out whether obligations like (delete record in 60
> > days) can be fullfiled.
> >
> > The Citation. It is avalable off of the ACM Portal.
> >
> > Proceedings of the 8th international conference on Software engineering
> > 1985 , London, England
> >
> >   Ensuring integrity by adding obligations to privileges
> >
> >   Authors
> >     Naftaly H. Minsky
> >     Abe D. Lockman
> >
> >   Sponsors
> >     IEEE-CS : Computer Society
> >     SIGSOFT : ACM Special Interest Group on Software Engineering
> >
> >   Publisher
> >    IEEE Computer Society Press   Los Alamitos, CA, USA
> >
> >     Pages: 92 - 102  Proceeding-Article
> >     Year of Publication: 1985
> >     ISBN:0-8186-0620-7
> >
> >
> > Cheers,
> > -Polar
> >
> >
> >
> >
> >
> > ----------------------------------------------------------------
> > To subscribe or unsubscribe from this elist use the subscription
> > manager: <http://lists.oasis-open.org/ob/adm.pl>
> >
> >
> >
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>