[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Call for Obligations
My use cases in mind are the following(please correct me wherever my understanding is wrong): a) Legitimate authorization request arrives at the PEP. PEP invokes the PDP. PDP comes back with 'PERMIT' and a set of obligations. PEP is unable to fulfill 1 or more obligations. PEP issues an error. What happened to the legitimate request? b) PDP issues a 'PERMIT' with a logging obligation. PEP does not want to log because performance considerations have been put forward and logging is low priority for the PEP. PEP issues an error. These are the use cases that I feel that obligations can have an optional tag such that PEP can be spec compliant in ignoring them. sampo@symlabs.com wrote: > Anil Saldhana writes: >> Has there been any work on obligations since xacml v2.0? >> Some use cases: >> Some of the things that pop up in mind with reference to obligations >> are: >> a) Auditing. (Common use case). >> b) Deny further requests on a particular subject if the number of >> unsuccessful authorization requests > n times. (More of a DOS use >> case). - Blacklist a subject. >> Priority among ObligationCategoryMembers: >> http://wiki.oasis-open.org/xacml/DiscussionOnObligations >> In the case of "encrypt" category, what if the PEP is unable to >> encrypt using "3DES" but can do "blowfish"? I think there is scope >> for levels of priority here with reference to obligation categories >> for the various members. >> Optional Obligations: > > How is an Obligation an obligation if it is optional? > Perhaps better wording would be qualified or alternate obligations, > e.g. either you MUST log or you MUST validate a digital > signature (which MUST be present and valid). > Cheers, > --Sampo >> I am also wondering if there is scope to specify whether a particular >> obligation is required or optional. The reason is if a particular >> PEP is not able to perform a particular obligation, then it is >> non-reasonable to deny a particular access. A policy writer should be >> able to specify obligations that are mandatory and some that are >> optional(eg: logging for performance purposes). > __________________________________________________________________ > Sym | Sampo Kellomaki ______| Identity Architect, Federated SSO > ____ | +351-918.731.007 ______| Liberty ID-WSF DirectoryScript > labs | skype: sampo.kellomaki | LDAP SOAP PlainDoc Crypto C Perl -- Anil Saldhana JBoss Security & Identity Management http://labs.jboss.com/portal/jbosssecurity/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]