[xacml] Today's meeting

[Erik Rissanen <mirty@sics.se>]

Hello,

I am unable to attend the meeting today due to other commitments. Here 
is a short summary on what I have been thinking since the focus group 
meeting.

I already posted my thoughts about combining policies by different 
issuers. In short, I think the entity/authority collecting the policies 
into the PDP has to decide which combining algorithm to use. I am not 
sure if all the existing policy combining algorithms would be useful in 
that context. In any case, using policy combining algorithms would mean 
that delegation has to be handled "internally" in the PDP, not 
externally like my current implementation does.

I have not had time to think much about what it would mean to handle the 
delegation internally in the PDP, but I doubt it would pose any more 
problems than to do it externally.

What I have been working on in the last few weeks is how to make it easy 
for an administrator looking at a set of delegated policies to 
understand how the policies go together, that is, which administrative 
policy authorizes which other policies. There is a fundamental 
difficulty in the approach I have chosen in that it is possible for one 
policy to receive support from different policies depending on the 
access request. This is by design, since it allows for a local 
administrator to combine rights from several sources in a single 
permission, thus decoupling high level adminstration from local 
administration. The downside is that it may be difficult to see how 
things fit together.

A solution I am looking into is to let administrators explicitly state, 
in the form of a link in a delegated policy, which other policy they 
intend to support the policy they are issuing. These links would 
directly show the dependencies among the policies. This has drawbacks in 
itself. For instance if a policy up in the delegation hierarchy is 
replaced, the links would become invalid.

Another idea is to limit the rules/policies to such that they can be 
directly compared ahead of the access request and prevalidated. I think 
this is how Frank is imagining it. This would loose the ability to 
combine rights from several sources though.

Yet another idea is to compare delegations constraints, since they do 
not depend on the particulars of the access request. They would give an 
indication of how what the possible support relations are, and the 
administrator could "fill in the gaps" by looking at the policies 
herself. I worry that this could be computationally expensive and that 
there would be too many "false" indications of support.

So far I do not know have important these problems are, and I have no 
clear solution. I will be working on these issues in the next few weeks.

Best regards, Erik