[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Proposal for WI#2: Location Information
2: Location Information
Way to pass location information needed to evaluate a policy.
Examples of such information are:
o where to find various Attributes,
o where Attribute Authorities to be used are located
o where to find function, combining algorithm, data-type,
Attribute parsing code
Such information might be embedded in either of
a. an XACML Request
b. an XACML policy
MOTIVATING USE-CASE AND REQUIREMENT
NEW FUNCTIONALITY
Any XACML implementation that will use attributes other than
those passed in from the PEP needs to have a way to locate and
retrieve those attributes. Often the PEP or the policy writer
will know where and how a given attribute can or should be
retrieved, but there is currently no way to express this
information in XACML.
XACML is also designed to be extensible to support new
functions and data types. Any XACML implementation will need
to include new executable modules for handling these new
functions and data types. A policy writer may know where
appropriate downloadable executable modules are located, but
again, there is no way to express this information in an XACML
policy. In particular, PDPs implemented in languages such as
the Java language can use such information to support
extensions without needing to modify the standard PDP.
This requirement is based on actual experience with XACML
1.0/1.1 and the comments and requests received from users of
Sun's XACML Implementation Open Source project at
http://sunxacml.sourceforge.net/
SUMMARY OF OPEN ISSUES
1. What is the syntax for such information
PROPOSED SOLUTION #1
The following is a portion of another non-XML policy language
that included such functionality. The <Definitions> portion of
the following BNF specifies a syntax for expressing this
functionality. I propose modifying it to a suitable XML
format consistent with XACML.
<BooleanPolicy> ::= [ <Definitions> ] <BooleanCondition>
A <BooleanPolicy> is a statement that evaluates to 'TRUE' or
'FALSE'. The evaluation is done by taking a set of
<AttributeName> <AttributeValue> pairs supplied by the PEP and
by the configured AEPs, matching the <LocalAttributeName>s in
the <BooleanCondition> with the <AttributeName>s in the input
using 'define attribute' statements, substituting the
<AttributeValue> for each corresponding <LocalAttributeName> in
the <BooleanCondition>, then evaluating the <BooleanCondition>.
<Definitions> ::= <Definition> ';' |
<Definition> ';' <Definitions>
<Definition> ::= <AttributeDefinition> |
<PKIDefinition> |
<CertDefinition> |
<PolicyDefinition>
A <BooleanPolicy> may begin with one or more <Definitions> that
provide information for interpreting the <BooleanCondition> of
the policy. There are four types of <Definition>:
<AttributeDefinition> ::= 'DEFINE' 'ATTRIBUTE'
<LocalAttributeName>
'TYPE' ':' <AttributeTypeDefinition>
<LocalAttributeName> ::= <LocalName>
For each <LocalAttributeName> that is used in a
<BooleanCondition>, there must be an <AttributeDefinition>
statement that describes how to establish a value for that
attribute and how to compare values of that attribute.
<AttributeTypeDefinition> ::= ( <HowToGetValue> [ <HowToGetCode> ] ) |
'INHERITED'
An <AttributeTypeDefinition> tells how to obtain a value for
the corresponding attribute and, optionally, how to obtain code
for comparing the attribute to another value.
If <HowToGetCode> is omitted, then it is assumed that the
<BooleanPolicy> implementation knows how to compare the
associated attribute with another value.
An <AttributeTypeDefinition> of 'INHERITED' is only valid when the
<BooleanPolicy> in which it occurs is referenced as a
<ReferencedBooleanPolicy> from another <BooleanPolicy>
statement. 'INHERITED' indicates that the definition of the
attribute is to come from the <BooleanPolicy> in which the
current <BooleanPolicy> is referenced (that is, the outer
<BooleanPolicy>).
<HowToGetValue> ::= ( 'AC' <ValueSearchParameters> ) |
( 'INPUT' <InputIdentifier> )
'AC' indicates that the value for the attribute is to come from
an Attribute Certificate. 'INPUT' indicates that the value for
the attribute is to come from the PEP or from one of the
configured AEPs. If no value is supplied by the PEP, then the
configured AEPs are asked for a value.
There may be other <HowToGetValue> options added to the
language in the future.
<ValueSearchParameters> ::= 'OID' ':' <OID>
'HOLDER' ':' <Holders>
'AA' ':' <AAName>
For an 'AC' attribute, which will be obtained from an Attribute
Certificate, the <OID> of the attribute and the <Holder> of the
Attribute Certificate must be specified. The
<ValueSearchParameters> may also specify the name of the
Attribute Authority (AA) trusted to certify this attribute
value.
<Holders> ::= <Holder> |
<Holder> ',' <Holders>
<Holder> ::= <TypedName> |
<PublicKeyValue> |
<LocalAttributeName>
<PublicKeyValue> ::= <Hex-EncodedValue>
The <Holders> list contains names or public key values that are
allowed as Holder names in any Attribute Certificate used to
establish a value for this <LocalAttributeName>. The <Holders> list
may contain names of other attributes, the values of which are
to be substituted for the <Holder>.
<AAName> ::= <TypedName> | <LocalCertName>
An <AAName> is the name of an Attribute Authority trusted to
initiate chains of Attribute Certificates assigning values for
the associated attribute.
<InputIdentifier> ::= 'INPUTID' ':' ( <String> | <OID> )
The <InputIdentifier> is how the attribute value will be tagged
as it comes in from the PEP or as it is known to the configured
AEPs.
<HowToGetCode> ::= 'CODE' ':' <TypedCodeMethod>
<TypedCodeMethod> ::= ( 'PKI' <PKICodeSearchParameters> ) |
( 'CLASS' <ClassCodeSearchParameters> )
'PKI' indicates that the code is obtained from an X.509
Attribute Definition Certificate located through the PKI.
'URL' indicates that the code is obtained from a URL. 'CLASS'
indicates that the code is to be obtained from a Java class
binary. Additional <TypedCodeMethod>s could be added in the
future.
<PKICodeSearchParameters> ::= [ 'OID' ':' <OID> ]
[ 'ADA' ':' <ADAName> ]
If <TypedCodeMethod> is 'PKI', then code for the attribute may
be obtained from an Attribute Definition Certificate in the
Public Key Infrastructure under the <ADAName>. The attribute
is defined by the specified <OID>.
If the <OID> is omitted, then there are two possible defaults.
If the attribute is an 'INPUT' type, then the <InputIdentifier>
from the <HowToGetValue> is used, and must be an <OID>. If the
attribute is an 'AC' type, its <OID> is used. If the <ADAName>
is omitted, then attribute must be an 'AC' attribute, and the
ADA defaults to the <AAName>
<ClassCodeSearchParameters> ::= [ <JavaClassName> ]
[ 'URL' ':' <URL> ]
[ 'SIGNER' ':' <SignerNames> ]
If the <TypedCodeMethod> is 'CLASS', then the code for the
attribute must be a Java class binary with name
<JavaClassName>. If <JavaClassName> is omitted, then the
'INPUTID' is used as the <JavaClassName>.
This Java class binary must be of one of the following types:
- extends the 'java.security.Permission' abstract class,
- is a 'java.security.CodeSource' object,
- is a 'java.security.ProtectionDomain' object,
- is a 'java.security.Principal' object,
- implements the 'java.security.Principal' interface, or
- implements a new 'java.security.PolicyAttribute' interface
(see Appendix \ref{java.security.PolicyAttribute Interface}).
If a <URL> is supplied, then the class or a Java jar file
containing the class is expected to be located at the URL. If
no <URL> is specified, then the default is the classpath used
by the PDP.
If 'SIGNER' is specified, then the class or the entire jar file
must be signed by all the public key(s) associated with
<SignerNames> in the PKI. If no 'SIGNER' is specified, then
signature checking will not be done: the class or jar file may
be signed by any signer or may be unsigned. Note that all jar
files and class binaries in the <URL> should be signed unless
they are accessed via a secure channel.
<JavaClassName> ::=
A <JavaClassName> is a fully qualified Java class name, such as
"java.security.Principal".
<SignerNames> ::= <SignerName> |
<SignerName> ',' <SignerNames>
<SignerName> ::= <TypedName> | <LocalCertName>
A <SignerName> is the name associated in the PKI with the
private key used to create a cryptographic signature. In order
to verify the signature, a certificate having <SignerName> as
its Subject is located in the PKI and the public key from this
certificate is used. If the <LocalCertName> form is used, then
the code is expected to be signed by the certificate defined by
the <LocalCertName>.
<ADAName> ::= <TypedName> | <LocalCertName>
An <ADAName> is the name of an Attribute Definition Authority
trusted to sign an Attribute Definition Certificate defining
the associated attribute. The definition of an attribute
includes its ASN.1 syntax, identifiers for its Matching
Rule(s), and possibly pointers to executable code for
constructing instances of the attribute and its matching rule.
<PKIDefinition> ::= 'DEFINE' 'PKI' <LocalCertNames>
'CS' ':' <CertStores>
[ <ValidationParameters> ]
A <PKIDefinition> defines the parameters required to map names
to public keys using a Public Key Infrastructure. Each Trust
Anchor is expressed using its <LocalCertName> as defined in a
<CertDefinition> statement.
Associated with the set of Trust Anchors is a set of
certificate stores, and a set of optional
<ValidationParameters>. A certificate for each Trust Anchor
must be located in the certificate stores and verified using
the certificate fingerprint specified in the
<CertDefinition> statement that defines that Trust
Anchor. There can be at most one <PKIDefinition> statement in
a single policy. The scope of the <PKIDefinition> is the
<BooleanPolicy> in which it occurs. It applies to any
<ReferencedBooleanPolicy> that does not have its own
<PKIDefinition>.
If the Trust Anchor certificate found in the specified
<CertStores> contains a Subject Information Access extension
with an access method of "id-ad-caRepository", then
certificates and CRLs issued by that Trust Anchor may be
located either in the location specified in the Subject
Information Access extension or in the specified <CertStores>.
Otherwise, certificates and CRLs may be obtained from the
specified <CertStores> or using other mechanisms, such as the
Subject Information Access extension, the CRL Distribution
Points extension, etc.
If no <PKIDefinition> statement is present in a policy, then
the <PKIDefinition> used for its enclosing <BooleanPolicy> will
apply. If there is no enclosing <BooleanPolicy>, then the PDP
will use its configured default PKI definition.
<LocalCertNames> ::= <LocalCertName> |
<LocalCertName> ',' <LocalCertNames>
<LocalCertName> ::= <LocalName>
A <LocalCertName> is a mnemonic name defined in a
<CertDefinition> statement. The scope of the <LocalCertName>
is the immediate <BooleanPolicy>.
<CertStores> ::= <CertStore> |
<CertStore> ',' <CertStores>
<CertStore> ::= <CertStoreType> ':' <CertStoreURL>
A <CertStore> is a repository for one or more certificates.
The <CertStoreType> indicates the type of the repository and
the URL points to the repository.
<CertStoreType> ::= 'LDAP' | 'KEYSTORE'
If the type is 'LDAP', then the <CertStoreURL> must be an
"ldap:" URL. If the type is 'KEYSTORE', then the
<CertStoreURL> must be a locator that will retrieve a Java
Keystore file.
<CertStoreURL> ::= <URL>
A <CertStoreURL> is the Uniform Resource Locator for a
certificate store.
<ValidationParameters> ::= <ValidationParameter> |
<ValidationParameter> ','
<ValidationParameters>
<ValidationParameter> ::= 'POLICIES' ':' <OIDs> |
'INHIBITANYPOLICY' |
'REQUIREEXPLICITPOLICY' |
'INHIBITPOLICYMAPPING' |
'NOREVOCATION'
<ValidationParameters> provide controls over the way chains of
Public Key Identity Certificates are verified. Each
<ValidationParameter> has a default value as follows:
POLICIES: default is none.
INHIBITANYPOLICY: default is not inhibited.
REQUIREEXPLICITPOLICY: default is not required.
INHIBITPOLICYMAPPING: default is not inhibited.
NOREVOCATION: default is revocation checked.
In addition, the date for which the certificate validation is
performed is always the current time and date on the evaluating
platform. PolicyQualifiers are always rejected. For more
explanation, see the corresponding methods in
java.security.cert.PKIXParameters.
<CertDefinition> ::= 'DEFINE' 'CERT' <LocalCertName>
<CertSelector>
A <CertDefinition> statement associates a mnemonic
<LocalCertName> with a trusted certificate. The trusted
certificate is specified using a <CertSelector>.
The <LocalCertName> defined in a <CertDefinition> statement can
be used in a <PKIDefinition> statement, <AAName>, <ADAName>,
or <SignerName>.
<CertSelector> ::= ( 'SUBJECT' ':' <SubjectName>
'FINGERPRINT' ':' <FingerPrint> ) |
( 'KEYSTOREURL' ':' <URL>
[ 'ALIAS' ':' <KeyStoreAlias> ]
[ 'FINGERPRINT' ':' <FingerPrint> ] )
If <CertSelector> is the 'SUBJECT' form, then the trusted
certificate in the <CertDefinition> is the certificate with
Subject of <SubjectName> and certificate fingerprint of
<FingerPrint>. The certificate must be located in the PKI
specified in the 'define PKI' statement.
If <CertSelector> is the 'KEYSTOREURL' form, then the trusted
certificate in the <CertDefinition> is the certificate in the
indicated Java KeyStore file with the indicated
<KeyStoreAlias>. If no ALIAS is supplied, then the alias
defaults to the <LocalCertName>. If the 'FINGERPRINT' option
is used, then the certificate's fingerprint must match the
value of <FingerPrint>. Note that, while 'FINGERPRINT' is
optional for a KeyStore certificate, it is strongly
recommended, particularly where the 'KEYSTOREURL' is not
accessed over a secure, authenticated channel. If
'FINGERPRINT' is not included, there is no guarantee that the
certificate and public key selected are correct.
<SubjectName> ::= <TypedName>
The <SubjectName> is the typed name used as the Subject of a
public key certificate.
<FingerPrint> ::= <Hex-EncodedValue>
A <FingerPrint> is a 128-bit MD5 hash of a public key
certificate.
<KeyStoreAlias> ::= <String>
A <KeyStoreAlias> is the mnemonic name by which a certificate
in a Java KeyStore is located. Case is not significant in a
<KeyStoreAlias>.
<PolicyDefinition> ::= 'DEFINE' 'POLICY' <LocalPolicyName>
'ID' ':' <PolicyName>
'AA' ':' <AAName>
A <PolicyDefinition> is a way of referencing one policy from
inside of another. The referenced policy will be expressed as
a value for the "IssuerPolicy" attribute in an X.509 Attribute
Certificate (see Appendix \ref{IssuerPolicy Attribute Syntax}).
The attribute value must have a policyName field with a name
matching the <PolicyName> specified.
The X.509 Attribute Certificate is located in the PKI using
<AAName> as the SOA. If the Attribute Certificate has expired
or been revoked since it was last downloaded, then a fresh copy
is downloaded. The Attribute Certificate containing the policy
must validate using the indicated AA name as the SOA.
<LocalPolicyName> ::= <LocalName>
This is the <LocalName> by which this policy will be referenced
in a <ReferencedBooleanPolicy> statement.
<PolicyName> ::= <String>
Each policy in an IssuerPolicy attribute has a name indicating
what the policy is used for. This name might be "SunTEA
approval policy" or "Anne's file use policy".
DETAILED SOLUTION
[Actual text and schema changes or additions, referencing line
numbers in the XACML 1.1 PDF Specification, required to
express this solution in the 2.0 specification.
This may be in the form of edits to the source XACML 1.1
Specification, attached to the e-mail containing the
Proposal.
Don't bother with this until the SUMMARY indicates there are
no issues that remain to be resolved, and there is consensus
on one PROPOSED SOLUTION above.]
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]