[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Proposal for WI#2: Location Information
2: Location Information Way to pass location information needed to evaluate a policy. Examples of such information are: o where to find various Attributes, o where Attribute Authorities to be used are located o where to find function, combining algorithm, data-type, Attribute parsing code Such information might be embedded in either of a. an XACML Request b. an XACML policy MOTIVATING USE-CASE AND REQUIREMENT NEW FUNCTIONALITY Any XACML implementation that will use attributes other than those passed in from the PEP needs to have a way to locate and retrieve those attributes. Often the PEP or the policy writer will know where and how a given attribute can or should be retrieved, but there is currently no way to express this information in XACML. XACML is also designed to be extensible to support new functions and data types. Any XACML implementation will need to include new executable modules for handling these new functions and data types. A policy writer may know where appropriate downloadable executable modules are located, but again, there is no way to express this information in an XACML policy. In particular, PDPs implemented in languages such as the Java language can use such information to support extensions without needing to modify the standard PDP. This requirement is based on actual experience with XACML 1.0/1.1 and the comments and requests received from users of Sun's XACML Implementation Open Source project at http://sunxacml.sourceforge.net/ SUMMARY OF OPEN ISSUES 1. What is the syntax for such information PROPOSED SOLUTION #1 The following is a portion of another non-XML policy language that included such functionality. The <Definitions> portion of the following BNF specifies a syntax for expressing this functionality. I propose modifying it to a suitable XML format consistent with XACML. <BooleanPolicy> ::= [ <Definitions> ] <BooleanCondition> A <BooleanPolicy> is a statement that evaluates to 'TRUE' or 'FALSE'. The evaluation is done by taking a set of <AttributeName> <AttributeValue> pairs supplied by the PEP and by the configured AEPs, matching the <LocalAttributeName>s in the <BooleanCondition> with the <AttributeName>s in the input using 'define attribute' statements, substituting the <AttributeValue> for each corresponding <LocalAttributeName> in the <BooleanCondition>, then evaluating the <BooleanCondition>. <Definitions> ::= <Definition> ';' | <Definition> ';' <Definitions> <Definition> ::= <AttributeDefinition> | <PKIDefinition> | <CertDefinition> | <PolicyDefinition> A <BooleanPolicy> may begin with one or more <Definitions> that provide information for interpreting the <BooleanCondition> of the policy. There are four types of <Definition>: <AttributeDefinition> ::= 'DEFINE' 'ATTRIBUTE' <LocalAttributeName> 'TYPE' ':' <AttributeTypeDefinition> <LocalAttributeName> ::= <LocalName> For each <LocalAttributeName> that is used in a <BooleanCondition>, there must be an <AttributeDefinition> statement that describes how to establish a value for that attribute and how to compare values of that attribute. <AttributeTypeDefinition> ::= ( <HowToGetValue> [ <HowToGetCode> ] ) | 'INHERITED' An <AttributeTypeDefinition> tells how to obtain a value for the corresponding attribute and, optionally, how to obtain code for comparing the attribute to another value. If <HowToGetCode> is omitted, then it is assumed that the <BooleanPolicy> implementation knows how to compare the associated attribute with another value. An <AttributeTypeDefinition> of 'INHERITED' is only valid when the <BooleanPolicy> in which it occurs is referenced as a <ReferencedBooleanPolicy> from another <BooleanPolicy> statement. 'INHERITED' indicates that the definition of the attribute is to come from the <BooleanPolicy> in which the current <BooleanPolicy> is referenced (that is, the outer <BooleanPolicy>). <HowToGetValue> ::= ( 'AC' <ValueSearchParameters> ) | ( 'INPUT' <InputIdentifier> ) 'AC' indicates that the value for the attribute is to come from an Attribute Certificate. 'INPUT' indicates that the value for the attribute is to come from the PEP or from one of the configured AEPs. If no value is supplied by the PEP, then the configured AEPs are asked for a value. There may be other <HowToGetValue> options added to the language in the future. <ValueSearchParameters> ::= 'OID' ':' <OID> 'HOLDER' ':' <Holders> 'AA' ':' <AAName> For an 'AC' attribute, which will be obtained from an Attribute Certificate, the <OID> of the attribute and the <Holder> of the Attribute Certificate must be specified. The <ValueSearchParameters> may also specify the name of the Attribute Authority (AA) trusted to certify this attribute value. <Holders> ::= <Holder> | <Holder> ',' <Holders> <Holder> ::= <TypedName> | <PublicKeyValue> | <LocalAttributeName> <PublicKeyValue> ::= <Hex-EncodedValue> The <Holders> list contains names or public key values that are allowed as Holder names in any Attribute Certificate used to establish a value for this <LocalAttributeName>. The <Holders> list may contain names of other attributes, the values of which are to be substituted for the <Holder>. <AAName> ::= <TypedName> | <LocalCertName> An <AAName> is the name of an Attribute Authority trusted to initiate chains of Attribute Certificates assigning values for the associated attribute. <InputIdentifier> ::= 'INPUTID' ':' ( <String> | <OID> ) The <InputIdentifier> is how the attribute value will be tagged as it comes in from the PEP or as it is known to the configured AEPs. <HowToGetCode> ::= 'CODE' ':' <TypedCodeMethod> <TypedCodeMethod> ::= ( 'PKI' <PKICodeSearchParameters> ) | ( 'CLASS' <ClassCodeSearchParameters> ) 'PKI' indicates that the code is obtained from an X.509 Attribute Definition Certificate located through the PKI. 'URL' indicates that the code is obtained from a URL. 'CLASS' indicates that the code is to be obtained from a Java class binary. Additional <TypedCodeMethod>s could be added in the future. <PKICodeSearchParameters> ::= [ 'OID' ':' <OID> ] [ 'ADA' ':' <ADAName> ] If <TypedCodeMethod> is 'PKI', then code for the attribute may be obtained from an Attribute Definition Certificate in the Public Key Infrastructure under the <ADAName>. The attribute is defined by the specified <OID>. If the <OID> is omitted, then there are two possible defaults. If the attribute is an 'INPUT' type, then the <InputIdentifier> from the <HowToGetValue> is used, and must be an <OID>. If the attribute is an 'AC' type, its <OID> is used. If the <ADAName> is omitted, then attribute must be an 'AC' attribute, and the ADA defaults to the <AAName> <ClassCodeSearchParameters> ::= [ <JavaClassName> ] [ 'URL' ':' <URL> ] [ 'SIGNER' ':' <SignerNames> ] If the <TypedCodeMethod> is 'CLASS', then the code for the attribute must be a Java class binary with name <JavaClassName>. If <JavaClassName> is omitted, then the 'INPUTID' is used as the <JavaClassName>. This Java class binary must be of one of the following types: - extends the 'java.security.Permission' abstract class, - is a 'java.security.CodeSource' object, - is a 'java.security.ProtectionDomain' object, - is a 'java.security.Principal' object, - implements the 'java.security.Principal' interface, or - implements a new 'java.security.PolicyAttribute' interface (see Appendix \ref{java.security.PolicyAttribute Interface}). If a <URL> is supplied, then the class or a Java jar file containing the class is expected to be located at the URL. If no <URL> is specified, then the default is the classpath used by the PDP. If 'SIGNER' is specified, then the class or the entire jar file must be signed by all the public key(s) associated with <SignerNames> in the PKI. If no 'SIGNER' is specified, then signature checking will not be done: the class or jar file may be signed by any signer or may be unsigned. Note that all jar files and class binaries in the <URL> should be signed unless they are accessed via a secure channel. <JavaClassName> ::= A <JavaClassName> is a fully qualified Java class name, such as "java.security.Principal". <SignerNames> ::= <SignerName> | <SignerName> ',' <SignerNames> <SignerName> ::= <TypedName> | <LocalCertName> A <SignerName> is the name associated in the PKI with the private key used to create a cryptographic signature. In order to verify the signature, a certificate having <SignerName> as its Subject is located in the PKI and the public key from this certificate is used. If the <LocalCertName> form is used, then the code is expected to be signed by the certificate defined by the <LocalCertName>. <ADAName> ::= <TypedName> | <LocalCertName> An <ADAName> is the name of an Attribute Definition Authority trusted to sign an Attribute Definition Certificate defining the associated attribute. The definition of an attribute includes its ASN.1 syntax, identifiers for its Matching Rule(s), and possibly pointers to executable code for constructing instances of the attribute and its matching rule. <PKIDefinition> ::= 'DEFINE' 'PKI' <LocalCertNames> 'CS' ':' <CertStores> [ <ValidationParameters> ] A <PKIDefinition> defines the parameters required to map names to public keys using a Public Key Infrastructure. Each Trust Anchor is expressed using its <LocalCertName> as defined in a <CertDefinition> statement. Associated with the set of Trust Anchors is a set of certificate stores, and a set of optional <ValidationParameters>. A certificate for each Trust Anchor must be located in the certificate stores and verified using the certificate fingerprint specified in the <CertDefinition> statement that defines that Trust Anchor. There can be at most one <PKIDefinition> statement in a single policy. The scope of the <PKIDefinition> is the <BooleanPolicy> in which it occurs. It applies to any <ReferencedBooleanPolicy> that does not have its own <PKIDefinition>. If the Trust Anchor certificate found in the specified <CertStores> contains a Subject Information Access extension with an access method of "id-ad-caRepository", then certificates and CRLs issued by that Trust Anchor may be located either in the location specified in the Subject Information Access extension or in the specified <CertStores>. Otherwise, certificates and CRLs may be obtained from the specified <CertStores> or using other mechanisms, such as the Subject Information Access extension, the CRL Distribution Points extension, etc. If no <PKIDefinition> statement is present in a policy, then the <PKIDefinition> used for its enclosing <BooleanPolicy> will apply. If there is no enclosing <BooleanPolicy>, then the PDP will use its configured default PKI definition. <LocalCertNames> ::= <LocalCertName> | <LocalCertName> ',' <LocalCertNames> <LocalCertName> ::= <LocalName> A <LocalCertName> is a mnemonic name defined in a <CertDefinition> statement. The scope of the <LocalCertName> is the immediate <BooleanPolicy>. <CertStores> ::= <CertStore> | <CertStore> ',' <CertStores> <CertStore> ::= <CertStoreType> ':' <CertStoreURL> A <CertStore> is a repository for one or more certificates. The <CertStoreType> indicates the type of the repository and the URL points to the repository. <CertStoreType> ::= 'LDAP' | 'KEYSTORE' If the type is 'LDAP', then the <CertStoreURL> must be an "ldap:" URL. If the type is 'KEYSTORE', then the <CertStoreURL> must be a locator that will retrieve a Java Keystore file. <CertStoreURL> ::= <URL> A <CertStoreURL> is the Uniform Resource Locator for a certificate store. <ValidationParameters> ::= <ValidationParameter> | <ValidationParameter> ',' <ValidationParameters> <ValidationParameter> ::= 'POLICIES' ':' <OIDs> | 'INHIBITANYPOLICY' | 'REQUIREEXPLICITPOLICY' | 'INHIBITPOLICYMAPPING' | 'NOREVOCATION' <ValidationParameters> provide controls over the way chains of Public Key Identity Certificates are verified. Each <ValidationParameter> has a default value as follows: POLICIES: default is none. INHIBITANYPOLICY: default is not inhibited. REQUIREEXPLICITPOLICY: default is not required. INHIBITPOLICYMAPPING: default is not inhibited. NOREVOCATION: default is revocation checked. In addition, the date for which the certificate validation is performed is always the current time and date on the evaluating platform. PolicyQualifiers are always rejected. For more explanation, see the corresponding methods in java.security.cert.PKIXParameters. <CertDefinition> ::= 'DEFINE' 'CERT' <LocalCertName> <CertSelector> A <CertDefinition> statement associates a mnemonic <LocalCertName> with a trusted certificate. The trusted certificate is specified using a <CertSelector>. The <LocalCertName> defined in a <CertDefinition> statement can be used in a <PKIDefinition> statement, <AAName>, <ADAName>, or <SignerName>. <CertSelector> ::= ( 'SUBJECT' ':' <SubjectName> 'FINGERPRINT' ':' <FingerPrint> ) | ( 'KEYSTOREURL' ':' <URL> [ 'ALIAS' ':' <KeyStoreAlias> ] [ 'FINGERPRINT' ':' <FingerPrint> ] ) If <CertSelector> is the 'SUBJECT' form, then the trusted certificate in the <CertDefinition> is the certificate with Subject of <SubjectName> and certificate fingerprint of <FingerPrint>. The certificate must be located in the PKI specified in the 'define PKI' statement. If <CertSelector> is the 'KEYSTOREURL' form, then the trusted certificate in the <CertDefinition> is the certificate in the indicated Java KeyStore file with the indicated <KeyStoreAlias>. If no ALIAS is supplied, then the alias defaults to the <LocalCertName>. If the 'FINGERPRINT' option is used, then the certificate's fingerprint must match the value of <FingerPrint>. Note that, while 'FINGERPRINT' is optional for a KeyStore certificate, it is strongly recommended, particularly where the 'KEYSTOREURL' is not accessed over a secure, authenticated channel. If 'FINGERPRINT' is not included, there is no guarantee that the certificate and public key selected are correct. <SubjectName> ::= <TypedName> The <SubjectName> is the typed name used as the Subject of a public key certificate. <FingerPrint> ::= <Hex-EncodedValue> A <FingerPrint> is a 128-bit MD5 hash of a public key certificate. <KeyStoreAlias> ::= <String> A <KeyStoreAlias> is the mnemonic name by which a certificate in a Java KeyStore is located. Case is not significant in a <KeyStoreAlias>. <PolicyDefinition> ::= 'DEFINE' 'POLICY' <LocalPolicyName> 'ID' ':' <PolicyName> 'AA' ':' <AAName> A <PolicyDefinition> is a way of referencing one policy from inside of another. The referenced policy will be expressed as a value for the "IssuerPolicy" attribute in an X.509 Attribute Certificate (see Appendix \ref{IssuerPolicy Attribute Syntax}). The attribute value must have a policyName field with a name matching the <PolicyName> specified. The X.509 Attribute Certificate is located in the PKI using <AAName> as the SOA. If the Attribute Certificate has expired or been revoked since it was last downloaded, then a fresh copy is downloaded. The Attribute Certificate containing the policy must validate using the indicated AA name as the SOA. <LocalPolicyName> ::= <LocalName> This is the <LocalName> by which this policy will be referenced in a <ReferencedBooleanPolicy> statement. <PolicyName> ::= <String> Each policy in an IssuerPolicy attribute has a name indicating what the policy is used for. This name might be "SunTEA approval policy" or "Anne's file use policy". DETAILED SOLUTION [Actual text and schema changes or additions, referencing line numbers in the XACML 1.1 PDF Specification, required to express this solution in the 2.0 specification. This may be in the form of edits to the source XACML 1.1 Specification, attached to the e-mail containing the Proposal. Don't bother with this until the SUMMARY indicates there are no issues that remain to be resolved, and there is consensus on one PROPOSED SOLUTION above.] -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]