OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: Call for Obligations


My use cases in mind are the following(please correct me wherever my 
understanding is wrong):
a) Legitimate authorization request arrives at the PEP. PEP invokes the 
PDP. PDP comes back with 'PERMIT' and a set of obligations. PEP is 
unable to fulfill 1 or more obligations. PEP issues an error. What 
happened to the legitimate request?
b) PDP issues a 'PERMIT' with a logging obligation. PEP does not want to 
log because performance considerations have been put forward and logging 
is low priority for the PEP. PEP issues an error.

These are the use cases that I feel that obligations can have an 
optional tag such that PEP can be spec compliant in ignoring them.

sampo@symlabs.com wrote:
> Anil Saldhana writes:
>> Has there been any work on obligations since xacml v2.0?
>> Some use cases:
>> Some of the things that pop up in mind with reference to obligations 
>> are:
>> a) Auditing. (Common use case).
>> b) Deny further requests on a particular subject if the number of 
>> unsuccessful authorization requests > n times. (More of a DOS use 
>> case). - Blacklist a subject.
>> Priority among ObligationCategoryMembers:
>> http://wiki.oasis-open.org/xacml/DiscussionOnObligations
>> In the case of "encrypt" category, what if the PEP is unable to 
>> encrypt using "3DES" but can do "blowfish"?  I think there is scope 
>> for levels of priority here with reference to obligation categories 
>> for the various members.
>> Optional Obligations:
>
> How is an Obligation an obligation if it is optional?
> Perhaps better wording would be qualified or alternate obligations,
> e.g. either you MUST log or you MUST validate a digital
> signature (which MUST be present and valid).
> Cheers,
> --Sampo
>> I am also wondering if there is scope to specify whether a particular 
>> obligation is required or optional.  The reason is if a particular 
>> PEP is not able to perform a particular obligation, then it is 
>> non-reasonable to deny a particular access. A policy writer should be 
>> able to specify obligations that are mandatory and some that are 
>> optional(eg: logging for performance purposes).
> __________________________________________________________________
> Sym  | Sampo Kellomaki  ______| Identity Architect, Federated SSO
> ____ | +351-918.731.007 ______| Liberty ID-WSF DirectoryScript
> labs | skype: sampo.kellomaki | LDAP SOAP PlainDoc Crypto C Perl

-- 
Anil Saldhana
JBoss Security & Identity Management
http://labs.jboss.com/portal/jbosssecurity/




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]