RE: [xacml] New resolution for PM-1-02: Post-Conditions

[Michiharu Kudoh <KUDO@jp.ibm.com>]

Ken,

The revised proposal sumitted by Anne is fine with me. My opinion is that
since the PEP is definitely responsible for controlling the access to the
resource, the ultimate decision is determined by the PEP's policy in
addition to the authorization decision assertion returned by the PDP. This
is in line with Tim's opinion that "PEP may knowingly disregard an
obligation. But, it SHALL NOT disregard an obligation that it does not
recognize." in
http://lists.oasis-open.org/archives/xacml/200203/msg00090.html
I think that the Anne's revised statement is also in line with this policy.

Best
Michiharu Kudo

IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428




                                                                                                                 
                    Ken Yagen                                                                                    
                    <kyagen@crossl       To:     "'Anne Anderson'" <Anne.Anderson@Sun.com>, XACML TC             
                    ogix.com>             <xacml@lists.oasis-open.org>                                           
                                         cc:                                                                     
                    2002/03/28           Subject:     RE: [xacml] New resolution for PM-1-02: Post-Conditions    
                    11:51                                                                                        
                    Please respond                                                                               
                    to Ken Yagen                                                                                 
                                                                                                                 
                                                                                                                 






Is this issue ready to close? There was a lot of discussion after the
original posting by Michiharu. Is everyone in aggreement with Anne's
modifications? If so, I'll flag it in the issues list to be voted on.

Ken Yagen
Director, Software Development
CrossLogix, Inc
www.crosslogix.com


-----Original Message-----
From: Anne Anderson [mailto:Anne.Anderson@Sun.com]
Sent: Tuesday, March 26, 2002 8:01 AM
To: XACML TC
Subject: [xacml] New resolution for PM-1-02: Post-Conditions

Colleagues, we voted to close issue PM-1-02, but decisions made in later
votes affects some of the wording of the resolution to this issue.  Here is
the original resolution as approved, along with changes I propose based on
our later votes in []:

  We use the term "obligation" to mean what we have previously
  been calling "post condition". The issue of the term is
  addressed in PM-1-03.

  [CHANGE TO: "Obligations are annotations": The obligation is an
  annotation] that MAY be specified in a policyStatement and/or
  policyCombinationStatement that should be returned in
  conjunction with an authorization decision meaning that the
  obligations(s) SHOULD be executed by the PEP. The obligation is
  specified using URI reference with optional arguments. [DELETE:
  The processing rules of the obligation is defined by ruleSet
  combiner or policySet combiner. XACML provides a couple of
  combiner examples that deals with obligations in the
  informative section.] The actual meaning of each obligation
  [CHANGE TO "depends on the": differs from] application. It also
  depends on the configuration of the PEP and/or PDP. If the PEP
  does not [CHANGE TO "recognize": understand] an obligation, the
  PEP should deny access. [DELETE: The PDP just collects
  obligations.]

  [DELETE: (from F2F#4 minutes) ]The set of obligations returned
  by each level of evaluation includes only those obligations
  [ADD: "returned by rules, policyStatements, or
  policyCombinationStatements that were actually evaluated by the
  combiner algorithm, and "] associated with the effect element
  being returned by the given level of evaluation.  For example,
  a policy set may include some policies that return Permit and
  other policies that return Deny for a given request
  evaluation. If the policy combiner returns a result of Permit,
  then only those obligations associated with the policies [ADD:
  "that were evaluated, and "] that returned Permit are returned
  to the next higher level of evaluation.  If the PDP's
  evaluation is viewed as a tree of policyCombinationStatements,
  policyStatements, and rules, each of which returns "Permit" or
  "Deny", then the set of obligations returned by the PDP will
  include only the obligations associated [ADD: "with evaluated"]
  paths where the effect at each level of evaluation is the same
  as the effect being returned by the PDP.

--
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>