[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] WS-Policy and XACML comparison
Anne - My plan would be to lay these use-cases out a lot more clearly in a use-case document. But, for the time-being ... In 1.a., you are right, the issue is the service-provider's PDP telling it whether it should accept a service request or not. In 1.b., right again. I don't think the consumer should assume that the provider (in forming the response) has followed the consumer's instructions faithfully. Perhaps, the consumer requires a certain portion of the response to be signed, and (what's more) signed with a particular "usage". If the response is not suitably signed, the consumer should reject the response. 3. is the "privacy" case, in which the custodian of another entity's information has a policy regarding its further disclosure and so does the information owner. So, prior to forwarding the information or archiving it, etc, the process determines if the step is conformant with both policies. All the best. Tim. -----Original Message----- From: Anne Anderson [mailto:Anne.Anderson@Sun.com] Sent: Wednesday, February 26, 2003 10:30 AM To: Tim Moses Cc: XACML TC Subject: RE: [xacml] WS-Policy and XACML comparison On 26 February, Tim Moses writes: RE: [xacml] WS-Policy and XACML comparison > Colleagues - The persuasiveness of Anne's argument is inescapable. I > propose the following use-cases as a starting point. All the best. Tim. > > 1.a. Provider decision - Service provider decides whether a request is > conformant with the applicable part of its policy. > 1.b. Consumer decision - Service consumer decides whether a response is > conformant with the applicable part of its policy. > 2.a. Construct request - Service consumer forms a request that is > simultaneously conformant with the applicable part of its own and the > service provider's policy, or returns a fault. > 2.b. Construct response - Service provider forms a response that is > simultaneously conformant with the applicable part of its own and the > service consumer's policy, or returns a fault. > 3. Forward decision - Subsequent process-step decides whether a request is > conformant with its own and the information owner's policy. Tim, Could you clarify these use cases for me? - Is "Provider decision" the same as a PDP decision? - Is the "response" in "Consumer decision" the response by the service provider to the service request? I have been assuming that most of the policies for the format, security, etc. of the response to the service request would have been negotiated as part of the service request, and that, often, the service consumer would not even be able to understand a response that was not in the mutually agreed upon format (for example, encrypted using an algorithm the consumer does not support). - What does "its" refer to in "Forward decision"? The service provider? How is this different from "provider decision"? Thanks, Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC