[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] New resolution for PM-1-02: Post-Conditions
Ken, The revised proposal sumitted by Anne is fine with me. My opinion is that since the PEP is definitely responsible for controlling the access to the resource, the ultimate decision is determined by the PEP's policy in addition to the authorization decision assertion returned by the PDP. This is in line with Tim's opinion that "PEP may knowingly disregard an obligation. But, it SHALL NOT disregard an obligation that it does not recognize." in http://lists.oasis-open.org/archives/xacml/200203/msg00090.html I think that the Anne's revised statement is also in line with this policy. Best Michiharu Kudo IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428 Ken Yagen <kyagen@crossl To: "'Anne Anderson'" <Anne.Anderson@Sun.com>, XACML TC ogix.com> <xacml@lists.oasis-open.org> cc: 2002/03/28 Subject: RE: [xacml] New resolution for PM-1-02: Post-Conditions 11:51 Please respond to Ken Yagen Is this issue ready to close? There was a lot of discussion after the original posting by Michiharu. Is everyone in aggreement with Anne's modifications? If so, I'll flag it in the issues list to be voted on. Ken Yagen Director, Software Development CrossLogix, Inc www.crosslogix.com -----Original Message----- From: Anne Anderson [mailto:Anne.Anderson@Sun.com] Sent: Tuesday, March 26, 2002 8:01 AM To: XACML TC Subject: [xacml] New resolution for PM-1-02: Post-Conditions Colleagues, we voted to close issue PM-1-02, but decisions made in later votes affects some of the wording of the resolution to this issue. Here is the original resolution as approved, along with changes I propose based on our later votes in []: We use the term "obligation" to mean what we have previously been calling "post condition". The issue of the term is addressed in PM-1-03. [CHANGE TO: "Obligations are annotations": The obligation is an annotation] that MAY be specified in a policyStatement and/or policyCombinationStatement that should be returned in conjunction with an authorization decision meaning that the obligations(s) SHOULD be executed by the PEP. The obligation is specified using URI reference with optional arguments. [DELETE: The processing rules of the obligation is defined by ruleSet combiner or policySet combiner. XACML provides a couple of combiner examples that deals with obligations in the informative section.] The actual meaning of each obligation [CHANGE TO "depends on the": differs from] application. It also depends on the configuration of the PEP and/or PDP. If the PEP does not [CHANGE TO "recognize": understand] an obligation, the PEP should deny access. [DELETE: The PDP just collects obligations.] [DELETE: (from F2F#4 minutes) ]The set of obligations returned by each level of evaluation includes only those obligations [ADD: "returned by rules, policyStatements, or policyCombinationStatements that were actually evaluated by the combiner algorithm, and "] associated with the effect element being returned by the given level of evaluation. For example, a policy set may include some policies that return Permit and other policies that return Deny for a given request evaluation. If the policy combiner returns a result of Permit, then only those obligations associated with the policies [ADD: "that were evaluated, and "] that returned Permit are returned to the next higher level of evaluation. If the PDP's evaluation is viewed as a tree of policyCombinationStatements, policyStatements, and rules, each of which returns "Permit" or "Deny", then the set of obligations returned by the PDP will include only the obligations associated [ADD: "with evaluated"] paths where the effect at each level of evaluation is the same as the effect being returned by the PDP. -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC