As Hal suggested yesterday during the TC call, I submitted directly on the Wiki an initial list of 10 requirements for the policy cohort
https://wiki.oasis-open.org/xacml/Policy%20Administration%20Point%20Architecture
Hopefully we will find out if we share the same view on what a cohort should be. Please provide your feedback, corrections, and additional requirements.
Here they are, for completeness:
- Authenticity: an issuing authority may be associated and be authenticatable at a level of assurance by external (e.g. XML signature) means.
- Identity: must be uniquely identifiable, under the indicated namespace.
- Integrity: integrity may be ensured using appropriate means (e.g. XML signature).
- Confidentiality: confidentiality may be ensured using appropriate means (e.g. XML encryption).
- Reference-trust: policies included in the cohort may contain references to external attribute providers, for which the container cohort must ensure trust (e.g. in this case it must call them out).
- Administrative attributes: may be added, in a flexible manner, to allow _expression_ of e.g. business context information, contact information.
- Versioning: ?.
- Self-containtment: a policy cohort is self-contained, in the sense that it contains all the artifacts that it needs to operate.
- Auditability: a policy cohort must be considered as an unit of audit, i.e. audit log events must refer to the cohort, in addition to the policy that triggered the authorization decision.
- Testability: a policy cohort contains test dataset that consumers / implementors can use in order to test against their own implementations.
Thanks,
Jean-Paul Buu-Sao