[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] I have changed my mind about WSPL being in scope
While I respect Hal's position I find myself in the camp of the "simple minded" in that I personally believe that the work done by Tim and others (over the last six months) on the WSPL profile represents a well structured example of XACML being applied to a practical situation (that would be a "profile" in my world) that does not violate the spirit of the XACML TC's charter. As I have said on a number of occasions, I believe that specification without application is academia and I sure hope that it is the intent of this TC to strive for more than a mental exercise into the abstract possibilities of access control description in XML. In more specific terms: "XACML is expected to address fine grained control of authorized activities, the effect of characteristics of the access requestor, the protocol over which the request is made, authorization based on classes of activities, and content introspection (i.e. authorization based on both the requestor and potentially attribute values within the target where the values of the attributes may not be known to the policy writer). XACML is also expected to suggest a policy authorization model to guide implementers of the authorization mechanism." I would be interested to know how does one "suggest a policy authorization model to guide implementers..." without a mechanism like that proposed by Tim for WSPL? A half dozen boxes and a few AAA model references? It is my hope that as a group we will strive to me somewhat more relevant. Does the WSPL profile present itself as the definitive answer to all web services policy creation? I see no evidence of that. Is it a proposal for how one MAY create a policy that addresses web services security while complying with XACML policy constructs (aka "suggest a policy authorization model to guide implementers of the authorization mechanism")? I would say so. Maybe I am just a naive optimist, but it seems like what we are trying to do here with the WSPL profile is kinda the whole point of what it is that we are trying to do here as a TC. The problem as I see it is that we didn't change our charter or approach, but that somewhere along the line administrivia became more important than the output of the group; I cannot imagine this topic even being broached a year ago much less being reduced to challenges to the oasis board and public accusations of improper behavior. What happened? I am not trying to attack anyone and this is not directed to any one person, but I personally find the insistence that this specific endeavor be directed to some sort of a new TC absurd and counterproductive. If we don't provide an example of how XACML would work in this environment then who would do it, some special TC dedicated to WSPL access control policy expression (*possibly* conformant to XACML)? Is that realistic? Is it even desirable? I don't see the WSPL profile as an expansion of the XACML charter simply because we are not assuming the role of sole provider of web services policy, rather this is an example of how web services policy may be expressed in XACML. If *that* is beyond our scope then there is something wrong in general because I believe we will quickly find ourselves backed into a corner whereby we will be unable to demonstrate the USEFULNESS of our specification. Period. I understand that we cannot have anarchy, but organizational paralysis isn't any better and on many levels it is worse to those of us interested in a workable standard. b (so much for my leave of absence :o)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]