OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml] Proposed resolution from PM-8-01 to PM-8-07


I support these.  -Anne

On 22 March, Michiharu Kudoh writes: [xacml] Proposed resolution from PM-8-01 to PM-8-07
 > From: Michiharu Kudoh <KUDO@jp.ibm.com>
 > Subject: [xacml] Proposed resolution from PM-8-01 to PM-8-07
 > Date: Fri, 22 Mar 2002 15:26:39 +0900
 > 
 > I believe the following issues from Issues Version 05 for which I am listed
 > as the champion can be closed based on our latest
 > Face-to-Face agreements:
 > 
 > - ISSUE: PM-8-01: Internal v.s. External post conditions
 > XACML does not support any distinction between internal obligation and
 > external obligation. It depends on the configuration of PEP and/or PDP.
 > 
 > - ISSUE: PM-8-02: Mandatory v.s. advisory post conditions
 > XACML does not support any distinction between mandatory obligation and
 > advisory obligation. The meaning of the obligation is determined in each
 > application.
 > 
 > - ISSUE: PM-8-03: Inapplicable
 > The obligation is not returned to PEP when the authorization decision is
 > determined as inapplicable or indeterminate.
 > 
 > -ISSUE: PM-8-04: Base policy v.s. policy reference
 > The obligation is specified in both policyStatement and
 > policyCombinationStatement. The scope of the obligation is defined in
 > ISSUE: PM-1-02 as "The set of obligations returned by each level of
 > evaluation includes only those obligations associated with the effect
 > element being returned by the given level of evaluation.  For example, a
 > policy set may include some policies that return Permit and other policies
 > that return Deny for a given request evaluation. If the policy combiner
 > returns a result of Permit, then only those obligations associated with the
 > policies that returned Permit are returned to the next higher level of
 > evaluation.  If the PDP's evaluation is viewed as a tree of
 > policyCombinationStatements, policyStatements, and rules, each of which
 > returns "Permit" or "Deny", then the set of obligations returned by the PDP
 > will include only the obligations associated paths where the effect at each
 > level of evaluation is the same as the effect being returned by the PDP."
 > 
 > -ISSUE: PM-8-05: How to return post-condition via SAML
 > (I will post the resolution for this issue later)
 > 
 > -ISSUE: PM-8-06: When to execute post condition
 > When and how PEP executes obligation depends on each application. XACML (as
 > PDP) does not assume any specific semantics. While obligation implies that
 > specified operation must be dealt with prior to the requested access, it
 > does not necessarily mean that the specified operations must be executed
 > synchronously. Taking the obligatory operation usage scenario like
 > "customers can register themselves with their private information provided
 > that such information is deleted in 90 days--- obligation is
 > delete-in-90days", it is impossible to execute "delete-in-90days"
 > obligation prior to the requested access. It would be reasonable if such
 > operation is queued in the application and guaranteed to be executed later.
 > 
 > -ISSUE: PM-8-07: Extension point (line 1315 is typo, the issue number
 > should be PM-8-07)
 > Extension point of obligation is 1. obligationId in policyStatement or
 > policyCombinationStatement and 2. ruleSet combiner or policySet combiner.
 > This allows policy writers to specify arbitrary identifier of the
 > user-defined obligation and to specify the semantics of how obligation is
 > computed in response to the access request.
 > 
 > Michiharu Kudo
 > 
 > IBM Tokyo Research Laboratory, Internet Technology
 > Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428
 > 
 > 
 > 
 > ----------------------------------------------------------------
 > To subscribe or unsubscribe from this elist use the subscription
 > manager: <http://lists.oasis-open.org/ob/adm.pl>
 > 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC