[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Any kind of policies in a request
David, I have a hard time really agreeing to your proposal of interlinking requests and xacml policies. The XACML policy aspect has to be out of band wrt the request-response mechanism. Regards, Anil On 11/23/2009 06:12 AM, Erik Rissanen wrote: > David, > > I have been thinking more about this. > > I think that an extension point to plug in any kind of policy format > does not belong in the XACML core schema, and thus not in the > <Request>. The XACML schema is for defining the XACML language, and we > would lose some of the benefits of standardization by allowing any > content in it. > > However, SAML defined in the past a protocol for AuthZ query/response. > It is my understanding, and please correct me if I am wrong, that > there was an agreement between the SAML and XACML TCs that the XACML > request schema would supersede the SAML AuthZ formats, and SAML > dropped their own. The original SAML protocol was ambiguous regarding > the policy language. > > If we think of the XACML SAML profile to carry the legacy of the > original SAML AuthZ protocol, than I guess it would make sense to > support other policy languages since the original protocol was not > XACML specific. > > What do the rest of the TC see as the scope of the XACML SAML profile? > Is it just about supporting XACML, or does it have a wider scope? > > Best regards, > Erik > > David Chadwick wrote: >> Subsequent to the minutes >> >> Rich.Levinson wrote: >> >>> >>> Proposed schema change for policies and discussion from >>> David Chadwick and response from Erik: >>> http://lists.oasis-open.org/archives/xacml/200911/msg00023.html >>> >>> Erik: David proposed req ctx schema for ext pts xml any, where >>> can put proprietary policy lang things; doesn't make sense >>> to std on any policies in fmt; suggest using saml/xacml >>> mechanism >>> Rich: sees it as potentially disruptive, effectively allowing >>> elements as children of PolicySet >>> Bill: proprietary elements don't make sense; need further info >>> to be considered; >>> >>> defer topic until more info from David addressing concerns >>> in email and minutes >>> >> >> It makes sense because we cannot assume that every PDP talks the >> XACML policy language. However, it is possible to make every PDP talk >> the XACML request/response context. Once we have sticky policies and >> obligations which we pass around a distributed system we need to be >> able to cater for multiple policy languages. If you see my >> presentation at W3C yesterday at >> >> http://www.w3.org/2009/policy-ws/slides/Chadwick.pdf >> >> and look at slide 5 from 11, you will see why we need to relax the >> schema requirements on the policy element in the SAML-XACML profile, >> otherwise we have no standard way of passing a sticky policy to an >> AIPEP or Master PDP. >> >> regards >> >> David
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]