[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Request and Response Context Schemas - Take 2
On 5 June, Polar Humenn writes: Re: [xacml] Request and Response Context Schemas - Take 2 > I would really like to get rid of this "multiple" principals concept, and > go with a structured principal. That way the security software can > construct the proper principal. As I said before, I don't think we are ready to define a structured resource. Yes, we could use the relationships described in "A Calculus for Access Control in Distributed Systems" by Abadi, Burrows, Lampson, and Plotkin, but: we don't have a model for how a policy writer should use this structure in writing real policies. For example, do I trust Anne.Anderson@Sun.COM to have access to resource X as long as the request asserts that all intermediaries are "quoting" her? Do I trust saguaro.east.sun.com "quoting" java.io.InputStream "speaking for" Anne.Anderson@Sun.COM. Theoretically, I think the structure, and maybe the use model, are available, but I think it will take more time than we have right now to incorporate that into XACML. Having multiple role-defined Principals is a way to work around this problem in the meantime, and I, at least, have a clear idea of how that is used in policy statements, since it is the same way PolicyFile is used now. > As for having multiple resources, I disagree. We have to limit the > "request" to something specific, so we aren't doing too much guessing at > the policy end, i.e. at most 1 (structured) principal, 1 resource, 1 > action. I am happy to go with one resource. I think more than one action is probably useful. See above for 1 (structured) principal. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC