Re: [xacml] The new advice "obligation"

[bill parducci <bill@parducci.net>]

On Dec 18, 2008, at 11:56 PM, Erik Rissanen wrote:

> 2. Should it be possible to have this apply to NotApplicable as  
> well, not just Permit/Deny?
>
> I am asking since a customer of mine wanted to use obligations on  
> NotApplicable to return a reason for why access was not allowed.
>
> I haven't thought it through properly yet, but it seems like a good  
> idea. Typically I would expect policies to list stuff that is  
> allowed, with perhaps some exceptions which deny. In general it's a  
> good principle for security design to "enumerate goodness", rather  
> than to try to list everything which is bad/dangerous. If one does  
> so, if a policy does not match, it would  be NotApplicable, not  
> Deny, so it would not be possible to return advice about what did  
> not match. If we don't allow advice on NotApplicable, then policy  
> writers need to refactor their policies to return Deny instead of  
> NotApplicable when they do not match.


Does this mean that all Policies not applicable to a decision would  
return an Obligation? Taken one step further with the TC's current  
decision re: Obligations, that all Rules that are not applicable will  
return Obligations?

Also, NotApplicable and "not allowed" are not explicitly correlated,  
since the latter is defined as a "Deny", so I am not sure I understand  
the use case fully. Are they looking for the logic behind each  
decision to be passed to the PEP? (Which could be unwieldy if the  
answer to my first question is yes :)

thanks

b