OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml] PEP Conformance


i think we are veering off of the topic, but...

if you look at "Conformance Program Specification for the OASIS Security Assertion Markup Language (SAML)"
Document identifier: draft-sstc-conform-spec-12
Location: http://www.oasis-open.org/committees/security/docs
Publication date: 22 March 2002
Maturity Level: Committee Working Draft


you will see in the conformance objectives:

/*
The objectives of the SAML Conformance Clause are to:
1. [...]
2. Promote interoperability in the exchange of authentication and authorization information
*/

which has no meaning if the *application* of this information is not consistent. i believe that this position is embodied in the following conformance test case:

/*
4.1.6    Test Case 1-6: SOAP Protocol Binding: Implementation-Under-Test Consumes Valid Authorization Decision Assertion, Requested in Valid Query Description: This test case receives an authorization decision query created by an implementation-under-test using the AuthorizationRequest protocol in the SOAP binding. It confirms that the received query is valid for all required functionality. It returns an authorization decision assertion to the implemenation-uder-test and confirms that the assertion is consumed.
Pass/Fail Criteria: AuthorizationQuery contains all required elements in the right format and sequence; authorization decision response and assertion are consumed.
Requirements Reference: R-AUTHZDECISION, and R-MULTIDOMAIN
Specification Reference: SAML Core, sections 2.4.4 and 3
            SAML Bind, section 3.1
Implementation notes: The implementation-under-test executes the authorization decision assertion consumer role. Test program and implementation-under-test must agree how to validate that assertion was consumed.
*/

which states that authorization query consumption must be validated (i.e 'consumed' the same way). i posit that this will be performed in much the same way attribute conformance was achieved this summer: multiple vendors will send azn queries back and forth while protecting a controlled asset; conformance is declared when the *results* match across systems. in other words this:

/*
The Application may or may not give you access, sometimes you won't even
see it. I being an application, may get a Deny response from a PDP, but
decide to give you access any way, but maybe to a false object. But in any
case, you cannot bind me to deny access in a consistent manner.
*/

will *not* conform.

b 

Polar Humenn wrote:
> Can anybody point me to the proper places in the SAML documents:
> 
>     * Assertions and Protocol (  cs-sstc-core-01)
>           * Assertion Schema ( cs-sstc-schema-assertion-01.xsd)
>           * Protocol Schema ( cs-sstc-schema-protocol-01.xsd)
>     * Bindings and Profiles ( cs-sstc-bindings-01)
>     * Security and Privacy Considerations ( cs-sstc-sec-consider-01)
>     * Conformance Program Specification ( cs-sstc-conform-01)
>     * Glossary ( cs-sstc-glossary-01)
> 
> 
> that talks about a PEP's behavior in accordance with a SAML Response to an
> AuthorizationQuery?
> 
> I've looked at most of these documents, even in the Conformance Program
> Specification, I cannot find anything.
> 
> Cheers,
> -Polar
> 
> 
> 
> 
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC