Re: [xacml] Issues 63, 71 and 77

[Erik Rissanen <erik@axiomatics.com>]

Yes, it makes sense. So, we should allow the cross product, and write a
security consideration to warn implementers about DoS.

Regards,
Erik

Anne Anderson - Sun Microsystems wrote:
> Use cases come up where the requester has a group of subjects and a
> group of resources, and needs to find out which of those subjects can
> access which of those resources, or where there is a group of
> resources and a group of actions, and the requester needs to know
> which of those actions the subject can perform on which of those
> resources.  The requester can submit a separate Request for each
> combination, but it would save bandwidth to send a single Request that
> is expanded on the PDP side.
>
> This can come up in practice with the sorts of applications that
> present different menus to different user roles depending on the tasks
> they want to perform.  Assume the policies are updated between
> midnight and 1am every night, and no access is allowed during that
> time.  The application can be optimized to determine the allowed
> combinations at 1am every morning rather than on each individual user
> access.
>
> Implementations could place limits on the maximum number of
> combinations if necessary.  This limit could be included in the PDP
> metadata.
>
> Regards,
> Anne
>
> Erik Rissanen wrote:
>> Anne Anderson - Sun Microsystems wrote:
>>
>>>> If there are two or more categories which are repeated, then it is an
>>>> error.
>>>
>>> Alternatively, we could say that the cross product of the combinations
>>> will be created, and each evaluated as a separate request.  Using
>>> simpler syntax just to illustrate:
>>
>>
>> Yes, I thought about this as well, but I couldn't think of any
>> meaningful use cases to it. My concern with the cross products is that
>> the amount of work and the size of the output increase exponentially,
>> meaning that it opens up a vulnerability for DoS attacks.
>>
>> Regards,
>> Erik
>>
>