Re: [xacml] New Topic: Policy Provisioning

[Anthony Nadalin <drsecure@us.ibm.com>]

Anne, I understand your position, I think it's up to each TC to consider what they normatively reference (as we all reference SOAP 1.1/WSDL 1.1 which are only W3C notes, and lots of algorithms that are not either), its not up to OASIS, we are going through this issue now in the WSSX-TC.

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Anne Anderson - Sun Microsystems <Anne.Anderson@sun.com>

Anne Anderson - Sun Microsystems <Anne.Anderson@sun.com>

03/08/2007 09:54 AM

Please respond to
Anne.Anderson@sun.com

To	xacml@lists.oasis-open.org
cc
Subject	Re: [xacml] New Topic: Policy Provisioning

Have WS-MetadataExchange and WS-Resource Transfer been submitted to any
standards group?  I can find no record of such a submission.  Until they
are, I don't see how the XACML TC can consider them as the basis for an
XACML TC profile.  In addition, they would need to actually achieve
standard status in order for the profile to be approved by OASIS ot
ITU-T as a standard - it is a long road from "not yet submitted" to
"approved standard".

SPML, on the other hand, is a mature approved OASIS Standard - Version 2
was approved in April 2006.  Even if SPML is not ideal, our profile
could use the parts of it that work for us, and extend or profile it for
additional or different functionality.

I know almost nothing about SPML and have no idea where Sun stands
regarding it, so my opinion is not based on any technical or corporate bias.

Regards,
Anne

Anthony Nadalin wrote On 03/07/07 19:03,:
> And I'm suggesting that we have other web services protocols that also
> can provision policy like WS-MEX/Transfer/ResourceTransfer that need to
> be factored.
>
>
> Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
> Inactive hide details for "Hal Lockhart" <hlockhar@bea.com>"Hal
> Lockhart" <hlockhar@bea.com>
>
>
>                         *"Hal Lockhart" <hlockhar@bea.com>*
>
>                         03/07/2007 10:52 AM
>
>
>
> To
>
> Anthony Nadalin/Austin/IBM@IBMUS
>
> cc
>
> "Prateek Mishra" <prateek.mishra@oracle.com>, <xacml@lists.oasis-open.org>
>
> Subject
>
> RE: [xacml] New Topic: Policy Provisioning
>
>
>
>
> I think there is a basic misunderstanding here. I did not mean to
> suggest that XACML endorse the implementation of SPML 2.0. What I am
> proposing is that we use parts of the schema and some of the semantics
> as appropriate as the starting point to construct a XACML Policy
> Provisioning Protocol. This would be exactly analogous to the Policy
> Request and Policy Decisions Protocols in the XACML SAML Profile. Using
> these protocols does not require you to support any other parts of SAML.
>
> Hal
>
> ------------------------------------------------------------------------
> *From:* Anthony Nadalin [mailto:drsecure@us.ibm.com] *
> Sent:* Tuesday, March 06, 2007 10:28 PM*
> To:* Hal Lockhart*
> Cc:* Prateek Mishra; xacml@lists.oasis-open.org*
> Subject:* RE: [xacml] New Topic: Policy Provisioning
>
> I think that there are a number of issues:
>
> 1) Very large feature set, a number of capabilities in the core set
> belong to web services development tools rather than provisioning,
> including schema and capability discovery. This places a burden on
> implementing SPML 2. This poses problems for vendors trying to implement
> SPML introducing the need to hand craft SPML implementations and for IT
> organizations in hand crafting client applications (requesting
> authorities) for those SPML providers rather than being able to generate
> code from WSDL.
>
> 2) Insufficient description of integration with security. There is no
> description of communication of the identity of the user submitting the
> request (identity of the RA), which may be necessary for authentication,
> authorization, and auditing. T
>
> 3) Insufficient feature set for enterprises wanting to develop simple
> self service user interfaces with web services.
>
> WS-MEX/Transfer may be one approach. One of the key problems that it
> addresses is the need for out-of-band information that SPML does, which
> is related to the first point above.
>
>
> Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
> Inactive hide details for "Hal Lockhart" <hlockhar@bea.com>"Hal
> Lockhart" <hlockhar@bea.com>
>
>                                                 *"Hal Lockhart"
>                                                 <hlockhar@bea.com>*
>
>                                                 03/06/2007 09:50 AM
>
>
> To
>
> Anthony Nadalin/Austin/IBM@IBMUS, "Prateek Mishra"
> <prateek.mishra@oracle.com>
> cc
>
> <xacml@lists.oasis-open.org>
> Subject
>
> RE: [xacml] New Topic: Policy Provisioning
>
>
>
>
>
> I don’t see any technical reason why SPML is inappropriate. Policy
> provisioning has been discussed by the Provisioning TC as a usecase. In
> addition, there are specific features of SPML, such as operators,
> batching, etc. which we would have to reinvent if we do not use SPML. Do
> you see a specific technical problem or have an alternative starting
> point in mind?
>
> Hal
>
> ------------------------------------------------------------------------
> *From:* Anthony Nadalin [_mailto:drsecure@us.ibm.com_] *
> Sent:* Tuesday, March 06, 2007 10:27 AM*
> To:* Prateek Mishra*
> Cc:* Hal Lockhart; xacml@lists.oasis-open.org*
> Subject:* Re: [xacml] New Topic: Policy Provisioning
>
> Is SPML the proper protocol for policy lifecycle mechanisms? Seems like
> a bit of a stretch
>
> Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
> Inactive hide details for Prateek Mishra
> <prateek.mishra@oracle.com>Prateek Mishra <prateek.mishra@oracle.com>
>
>                                                                                                 *Prateek
>                                                                                                 Mishra
>                                                                                                 <prateek.mishra@oracle.com>*
>
>
>                                                                                                 03/06/2007
>                                                                                                 08:56
>                                                                                                 AM
>
>
> To
>
> xacml@lists.oasis-open.org
> cc
>
> Hal Lockhart <hlockhar@bea.com>
> Subject
>
> Re: [xacml] New Topic: Policy Provisioning
>
>
>
>
>
> Hal,
>
> Your proposed approach is of interest to us.
>
> I will obtain additional feedback on this issue and post the use-cases
> of interest to us.
>
> - prateek
>
>
>  > I have taken a further look at SPML and suggest the following might be a
>  > reasonable approach. Base the implementation on the SPML v2 - XSD
>  > Profile. Use Policy ID as the PSO Identifier. Using SPML defined
>  > operations the PAP can inquire of a PDP what policies it currently has.
>  > Using SPML the PAP can add, modify and delete policies as required.
>  > Using the SPML Batch capability, the PAP can insure that a set of
>  > updates is applied as a unit, thus avoiding the problem of the PDP
>  > making decisions on some inconsistent, interim set of policies. SPML
>  > also provides other potentially useful features such as error codes,
>  > asynchronous operations and capability queries.
>  >
>  > The main thing that this proposal requires is people who are willing to
>  > contribute to the work and edit the document.
>  >
>  > Hal
>  >
>  >
>

--
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692