Re: [xacml] obligations & error conditions

[Polar Humenn <polar@syr.edu>]

Comments inline.

On Mon, 12 Apr 2004, Bill Parducci wrote:

> below are the changes that i think would be necessary to treat
> incomprehensible obligations directives as decision:ERROR (vs.
> decision:DENY). while the applied results are the same (from the
> subject's point of view anway ;o), i believe that it provides the more
> logical decision outcome.
>
> b
>
> +++
>
> line 570:
> Therefore, bilateral agreement between a PAP and the PEP that will
> enforce its policies is required for correct interpretation.  While the
> contents of <Obligations> tags are opaque to the PDP, PEPs that conform
> with v2.0 of XACML MUST understand, and be capable of discharging, all
> obligations associated with a given decision if provided; failure to do
> so MUST act as if the PEP returned an ERROR. <Obligations> elements are
> returned to the PEP for enforcement.

I think you meant "if the PDP returned an ERROR".

I don't think that "enforcement" for an obligation is quite the proper
term, and we really don't have a use for the term "discharge". Also, I
think the last sentence is misplaced within the paragraph. How about:

Therefore, bilateral agreement between a PAP and the PEP that will enforce
its policies is required for correct interpretation. The PDP returns
<Obligations> elements for the PEP to discharge. While the contents of
<Obligations> tags are opaque to the PDP, PEPs that conform with v2.0 of
XACML MUST understand, and be capable of discharging, all obligations
associated with a given decision if provided; failure to do so MUST act as
if the PDP returned an ERROR.

> line 1538:
> [a478]-[a499] The <Obligations> element.  Obligations are a set of
> operations that MUST be performed by the PEP in conjunction with an
> authorization decision.  One or more obligations MAY be associated with
> a ?Permit? or ?Deny? authorization decision.

change "performed" to "discharged".
Again the last sentence seems misplaced.

[a478]-[a499] The <Obligations> element.  One or more obligations MAY be
associated with a ?Permit? or ?Deny?  authorization decision. The
<Obligations> element contains set of obligations, which are operations
that MUST be discharged by the PEP in conjunction with the associated
authorization decision.

> line 1715:
> The <Obligations> element contains a set of obligations that MUST be
> fulfilled by the PEP in conjunction with the authorization decision.  If
> the PEP does not understand, or cannot fulfill, any of the obligations,
> then it MUST act as if the PDP returned an ERROR for the authorization
> decision value.

change "fulfilled" to "discharged".

> line 2977:
> The <Result> element represents an authorization decision result for the
> resource specified by the ResourceId attribute.  It MAY include a set of
> obligations that MUST be fulfilled by the PEP.  If the PEP does not
> understand or cannot fulfill an obligation, then it MUST act as if the
> PDP returned an ERROR for the authorization decision value.

change "fulfilled" to "discharge".

> line 3006:
> A list of obligations that MUST be fulfilled by the PEP.  If the PEP
> does not understand or cannot fulfill an obligation, then it MUST act as
> if the PDP returned an ERROR for the authorization decision value..  See
> Section 7.15 for a description of how the set of obligations to be
> returned by the PDP is determined.

change "fulfilled" to "dicharge"


Man, in how many places do we say the same thing?

> line 3130:
> A PEP SHALL allow access to the resource only if a valid XACML response
> of "Permit" is returned by the PDP.  The PEP SHALL deny access to the
> resource in all other cases.  An XACML response of "Permit" SHALL be
> considered valid only if the PEP understands and can and will fulfill
> all of the obligations contained in the response.  An XACML response of
> ?Deny? may also be accompanied by obligations.  In this case, if the PEP
> understands the and can fulfill the obligations it MUST deny access and
> make best efforts to fulfill the obligations; otherwise the PEP MUST
> treat the decision by the PDP as an ERROR.

What if the PDP returns an Indeterminate or NotApplicable? We need to get
rid of the second sentence.

A PEP SHALL allow access to the resource only if a valid XACML response of
"Permit" is returned by the PDP.  An XACML response of "Permit" SHALL be
considered valid only if the PEP understands and can and will discharge
all of the obligations contained in the response.  An XACML response of
?Deny? may also be accompanied by obligations.  In this case, if the PEP
it MUST deny access and make best efforts to discharge the obligations;
otherwise the PEP MUST treat the decision by the PDP as an ERROR.


> line 3478:
> A PEP that receives a valid XACML response of "Permit" with obligations
> SHALL be responsible for fulfilling all of those obligations.  A PEP
> that receives an XACML response of "Deny" with obligations SHALL be
> responsible for fulfilling all of the obligations that it understands
> and is capable of fulfilling. If the PEP cannot understand the
> obligations provided by the PDP it must treat the decision by the PDP as
> an ERROR.

change "fulfilling" to "discharging".


Now, after that. I still have this problem with the skew toward Deny
being acceptable.

If obligations are not understandable by a PEP, then there is something
wrong with the "bi-lateral agreement". I thihk, whether the decision is
Permit or Deny, if there are any obligations that are not understandable
or not dischargable, it should be considered an error, and the PEP is free
to seek alternatives.

For example, Access to opening the freezer door from the inside. "Deny
with obligation to ring security desk."

Mary is denied opening the door because her card doesn't work. It's -30
degrees in the freezer. The phone at the security desk is busy, because
Bob, the guard, is talking to his mom.

The PEP following the XACML 2.0 specification, Denies, and declaring a
"best effort" in contacting the security desk gave up discharging its
obligation with no consequence.

Mary is dead 1 hour later.

Good Morning.

Cheers, :)
-Polar


> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.
>