[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Issues 63, 71 and 77
Yes, it makes sense. So, we should allow the cross product, and write a security consideration to warn implementers about DoS. Regards, Erik Anne Anderson - Sun Microsystems wrote: > Use cases come up where the requester has a group of subjects and a > group of resources, and needs to find out which of those subjects can > access which of those resources, or where there is a group of > resources and a group of actions, and the requester needs to know > which of those actions the subject can perform on which of those > resources. The requester can submit a separate Request for each > combination, but it would save bandwidth to send a single Request that > is expanded on the PDP side. > > This can come up in practice with the sorts of applications that > present different menus to different user roles depending on the tasks > they want to perform. Assume the policies are updated between > midnight and 1am every night, and no access is allowed during that > time. The application can be optimized to determine the allowed > combinations at 1am every morning rather than on each individual user > access. > > Implementations could place limits on the maximum number of > combinations if necessary. This limit could be included in the PDP > metadata. > > Regards, > Anne > > Erik Rissanen wrote: >> Anne Anderson - Sun Microsystems wrote: >> >>>> If there are two or more categories which are repeated, then it is an >>>> error. >>> >>> Alternatively, we could say that the cross product of the combinations >>> will be created, and each evaluated as a separate request. Using >>> simpler syntax just to illustrate: >> >> >> Yes, I thought about this as well, but I couldn't think of any >> meaningful use cases to it. My concern with the cross products is that >> the amount of work and the size of the output increase exponentially, >> meaning that it opens up a vulnerability for DoS attacks. >> >> Regards, >> Erik >> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]