Re: [xacml] New core and multiple resource profile and hierarchical

[Prateek Mishra <prateek.mishra@oracle.com>]

I think there are certain basic courtesies that need to be maintained 
for discussions on the list. Statements such as "It will not happen" or 
"this is not XACML" and so on arent helpful and, are in fact, borderline 
rude. XACML is what the technical committee intends it to be, not what 
one interactor or the other feels it is.

As I understand it, Rich has pointed out certain issues with the 
hierarchical profile (as an aside - i found it essentially unreadable as 
it stands). Now, Rich may be pointing out issues that lie on the 
boundaries of the profile. It is possible that some of the comments 
should be directed to a pragmatic or best practices document.

Often, when experienced security architects bring up substantive issues, 
these issues may end up being a blend of theory and practice. So it 
would be a good idea to understand his proposals systematically, versus 
making announcements about exactly what XACML is or not, or that there 
is "no problem".

- prateek

>
> On Mar 4, 2009, at 10:52 AM, Rich.Levinson wrote:
>>
>>
>>     * The reason I am concerned about this issue is that from a
>>       security perspective, it makes little sense to me to force
>>       commonly understood hierarchies, such as organization charts,
>>       geographic breakdowns of organization operations, whether
>>       within a building or around the world, to suddenly have
>>       policies that are intended only to apply to the resources
>>       within these specified domains, suddenly apply to resources
>>       outside of these domains.
>>
>
> It will not happen.   DAG describes what to apply precisely.   
>  Nothing will be "suddenly applied".
>
>>     * Similarly, resources within these domains will find themselves
>>       subject to policies applied to resources outside of these domains.
>>           o For example, if I am a manager in the United States, and
>>             there is a policy that says employees in the United
>>             States may treat the 4th of July as a holiday, then
>>             anyone outside the United States who has any superior
>>             inside the United States will be subject to this policy.
>>
> It has no bearing to XACML.    What ever is the intended chain of 
> command can be presented to PDP as a list of ancestors without any 
> problem.   
>>
>>           o Why? Because the resources are treated as a DAG. DAGs do
>>             not deal with resources individually, they only deal with
>>             subtrees.
>>
>
> That is an unfounded assumption.
>
>> This is an invalid assertion. I leave the profile unchanged, except 
>> for distinguishing the DAG and forest/polyarchy distinctions.
>> The DAG is inherently is multiple "overlapping" hierarchies that can 
>> be combined into a "single multiroot hierarchy" (see ref prev email) 
>> http://en.wikipedia.org/wiki/Directed_acyclic_graph#Properties
>
> No, it is not.  You have created a definition of "hierarchy" that is 
> not applicable and trying to shoehorn it into the profile.
>
> Daniel;