Re: [xacml] Any kind of policies in a request

[Anil Saldhana <Anil.Saldhana@redhat.com>]

Hi David,
   thanks for the additional explanation. I really have to think about 
this issue a bit. I do hope other TC members can weigh in their thoughts.

It should be possible to add in the xs:any element to allow extensibility.

Regards,
Anil

On 11/24/2009 11:28 AM, David Chadwick wrote:
> Hi Anil
>
> OK, now I understand your position. But it is opposed to the existing
> SAMLv2 profile of XACML, since ii) should by Yes to fit the existing
> profile, and iv) should be yes if the phrase "a general purpose" is 
> removed. In fact the only change I am proposing is to make iv) general 
> purpose as opposed to its current XACML specific purpose.
>
> I attach a Word document (sorry for that) which provides a modified 
> schema showing the change I propose highlighted in yellow, which is 
> the addition of one line, namely
>
> <xs:element ref="xs:any" minOccurs="0" maxOccurs="unbounded"/>
>
> This allows a policy in any language to be sent.
>
> I have also changed the name of the type to reflect that it is now 
> general purpose, and also so that it does not clash with the existing 
> type definition.
>
> regards
>
> David
>
>
> Anil Saldhana wrote:
>> Hi David,
>>
>> On 11/24/2009 04:15 AM, David Chadwick wrote:
>>> Hi Anil
>>>
>>> I dont understand precisely what your objection is. Please could you 
>>> be more specific by answering the following questions
>>>
>>> i) there should be a general mechanism for querying any remote PDP 
>>> for an authz response Y/N
>>>
>> Y
>>> ii) there is a need to dynamically push a policy to a remote PDP 
>>> along with an authz decision request Y/N
>>>
>> N
>>
>>> iii) the v2 XACML request/response context can be used as a general 
>>> purpose mechanism for making an authz query to any ABAC PDP Y/N
>>>
>> Y
>>> iv) the SAMLv2 profile of XACML can be used as a general purpose 
>>> mechanism for pushing a policy to a remote PDP along with making an 
>>> authz query Y/N
>>>
>> N
>> (The policy update has to be outside the normal request mechanism.  
>> If your use case is to make authz decisions based on a new 
>> replacement for a policy that exists just for the duration of the 
>> authz query, then that is interesting but a new use case which may 
>> require new constructs).
>>
>>> regards
>>>
>>> David
>>>
>>> Anil Saldhana wrote:
>>>> David,
>>>>   I have a hard time really agreeing to your proposal of 
>>>> interlinking requests and xacml policies.
>>>>
>>>> The XACML policy aspect has to be out of band wrt the 
>>>> request-response mechanism.
>>>>
>>>> Regards,
>>>> Anil
>>>>
>>>> On 11/23/2009 06:12 AM, Erik Rissanen wrote:
>>>>> David,
>>>>>
>>>>> I have been thinking more about this.
>>>>>
>>>>> I think that an extension point to plug in any kind of policy 
>>>>> format does not belong in the XACML core schema, and thus not in 
>>>>> the <Request>. The XACML schema is for defining the XACML 
>>>>> language, and we would lose some of the benefits of 
>>>>> standardization by allowing any content in it.
>>>>>
>>>>> However, SAML defined in the past a protocol for AuthZ 
>>>>> query/response. It is my understanding, and please correct me if I 
>>>>> am wrong, that there was an agreement between the SAML and XACML 
>>>>> TCs that the XACML request schema would supersede the SAML AuthZ 
>>>>> formats, and SAML dropped their own. The original SAML protocol 
>>>>> was ambiguous regarding the policy language.
>>>>>
>>>>> If we think of the XACML SAML profile to carry the legacy of the 
>>>>> original SAML AuthZ protocol, than I guess it would make sense to 
>>>>> support other policy languages since the original protocol was not 
>>>>> XACML specific.
>>>>>
>>>>> What do the rest of the TC see as the scope of the XACML SAML 
>>>>> profile? Is it just about supporting XACML, or does it have a 
>>>>> wider scope?
>>>>>
>>>>> Best regards,
>>>>> Erik
>>>>>
>>>>> David Chadwick wrote:
>>>>>> Subsequent to the minutes
>>>>>>
>>>>>> Rich.Levinson wrote:
>>>>>>
>>>>>>>
>>>>>>> Proposed schema change for policies and discussion from
>>>>>>>  David Chadwick and response from Erik:
>>>>>>>   http://lists.oasis-open.org/archives/xacml/200911/msg00023.html
>>>>>>>
>>>>>>>    Erik: David proposed req ctx schema for ext pts xml any, where
>>>>>>>     can put proprietary policy lang things; doesn't make sense
>>>>>>>     to std on any policies in fmt; suggest using saml/xacml
>>>>>>>     mechanism
>>>>>>>    Rich: sees it as potentially disruptive, effectively allowing
>>>>>>>     elements as children of PolicySet
>>>>>>>    Bill: proprietary elements don't make sense; need further info
>>>>>>>     to be considered;
>>>>>>>
>>>>>>>     defer topic until more info from David addressing concerns
>>>>>>>      in email and minutes
>>>>>>>
>>>>>>
>>>>>> It makes sense because we cannot assume that every PDP talks the 
>>>>>> XACML policy language. However, it is possible to make every PDP 
>>>>>> talk the XACML request/response context. Once we have sticky 
>>>>>> policies and obligations which we pass around a distributed 
>>>>>> system we need to be able to cater for multiple policy languages. 
>>>>>> If you see my presentation at W3C yesterday at
>>>>>>
>>>>>> http://www.w3.org/2009/policy-ws/slides/Chadwick.pdf
>>>>>>
>>>>>> and look at slide 5 from 11, you will see why we need to relax 
>>>>>> the schema requirements on the policy element in the SAML-XACML 
>>>>>> profile, otherwise we have no standard way of passing a sticky 
>>>>>> policy to an AIPEP or Master PDP.
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> David