[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] 7.7 Obligations
Based on the discussion on the list, - Bill and I are in agreement. - Daniel seems to be uncomfortable with an authorization decision like DENY with obligation(s). - Polar seems suggesting to include understandable obligations in the request context to avoid emitting no-understandable obligations to PEP from PDP. My opinion is that DENY with obligation (e.g. deny provided access must be logged) is still useful for some applications e.g. security policy for a firewall server and an authentication server. For example, "DENY with notify-admin" means that the access is rejected but the notification of the access must be sent to admin. The TC approved to include this long time ago. For the no-understandable obligations, the Polar's suggestion to include understandable obligations in request context might be one option. It definitely eliminates the case when the PEP receives non-understandable obligation from the PDP. But I have a slight concern. What if there are hundreds of obligations the PEP understands? Then I don't think it is an efficient way to mandate to include all the understandable obligations in each access request because it may make access request very large, even if such information is irrelevant to many access requests. Another way would be to create a communication protocol between PDP and PEP to exchange a list of understandable obligations, but it seems outside the scope of XACML. XACML should focus on what decision must be generated in response to what decision request. Therefore, I would prefer my original definition that includes the case when the PEP does not understand the obligation. Michiharu Kudo IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC