OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Obligations rear their ugly head.


Greetings,

Aside from the fact that in order to get a determinate answer from a PDP
with respect to obligations, I've got serious problems with other things
said in the specification in their regard.

We've probably had this argument before, but...

In section 2.12 Actions performed in conjunction with enforcement. The
last sentence states:

"PEPs that conform with v2.0 of XACML are required to deny access unless
they understand and can discharge all of the <Obligations> elements
associated with the applicable policy."

With my dad in the operating room this weekend, I found myself stating to
myself, "Gee I hope those IT people didn't install a XACML compliant PEP."

All I needed was to have a previous X-ray or Sonogram denied because
somebody put an obligation, such as as in Example Rule 3 in the spec, "A
physician may ...... provided an email is sent to the patient".

"Provided that"? What if the email system is down? Then the PEP cannot
"discharge" that obligation, and therefore denies.

First I have an issue with "provided that", of which I thought we agreed
that obligations were not supposed to mean.

Second of all, what if some IT administrator added a lower level XACML
policy with that obligation without regard for all of the PEPs that might
use that policy? And then the XACML v2.0 compliant PEP denies the request.

I'll tell you if that doctor ended up with a denied request for my dad's
medical information because of an obligation, I'd be hacking XACML
compliant PEPs apart with a splitting mall (huge heavy axe).

I may deploy a XACML PDP, but I will not deploy an XACML compliant PEP.

Furthermore, what are we writing requirements for a PEP anyway? XACML is
about calculating a decision. Granted that decision has semantics that
SHOULD be followed. However, it is up to the enforcement agent to
interpret the decision as it sees fit.

I don't think categorically denying things is the answer to ALL problems.

If you're looking for a good use case, I just gave you a real one.

Cheers,
-Polar

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]