OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] Duplicate Organization Attribute in EC-US and IPC Profiles


Generally, export and IP access control decisions should be evaluated independently.  The "SHALL NOT" language from the Conformance section is common to other profiles, and is only intended to promote interoperability, so I don't foresee a conflict in this area.

Thoughts?

-----Original Message-----
From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Steven Legg
Sent: Thursday, September 06, 2012 11:08 PM
To: Hill, Richard C
Cc: XACML-TC-mailinglist
Subject: Re: [xacml] Duplicate Organization Attribute in EC-US and IPC Profiles


Hi Richard,

On 7/09/2012 10:44 AM, Hill, Richard C wrote:
> Just some thoughts to consider:
>
> The IPC 'organization' attribute relates to an IP agreement, while the EC-US 'organization' attribute relates to an export license. These are two separate contexts. In the case were both IP and Export contexts are contained in the same XACML request; it would be good to be able to differentiate between the two. Additionally, there shouldn't be any conflicts using both 'organization' attributes in the same XACML request or policy since their urn's are both unique. The IPC urn contains 'ipc' and the EC-US urn contains 'ec-us'.
>
> urn:oasis:names:tc:xacml:3.0:ipc:subject:organization
> urn:oasis:names:tc:xacml:3.0:ec-us:subject:organization
>
> Using a generic 'organization' attribute that could be used interchangeably between IPC or EC-US (or anywhere else for that matter) would require an additional attribute (e.g. 'organization-context') to be used to indicate whether the 'organization' attribute refers to an IP or Export context. In the case where both IP and Export contexts are contained in the same XACML request it would be difficult to know which of the two generic 'organization' attributes (one for IP and one for Export) corresponds to the correct 'organization-context' attribute.

The key question is whether the values of the organization attribute would be different in both contexts. On re-reading I see that the IPC profile allows a wider range of possible associations between the subject and the subject's organization than would likely be the case with the EC-US profile, so on that basis separate attributes are required to allow differing sets of values.

However, the values will often be the same or overlap so I still think that "SHALL NOT use any other identifiers for the purposes defined by attributes in this profile" puts both profiles in violation of each other. The quoted text should be struck out of both profiles.

Regards,
Steven

>
> Thanks,
> Richard Hill
>
>
> -----Original Message-----
> From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] 
> On Behalf Of Steven Legg
> Sent: Wednesday, September 05, 2012 5:35 PM
> To: XACML-TC-mailinglist
> Subject: [xacml] Duplicate Organization Attribute in EC-US and IPC 
> Profiles
>
>
> The IPC profile and the EC-US profile both define an organization subject attribute, apparently for the same purpose, but with different identifiers.
> A conformant implementation or deployment supporting both profiles simultaneously would be obliged to redundantly provide a subject's organization in both of these attributes.
>
> Furthermore, the EC-US profile says in section 5.1 that policies and requests "SHALL NOT use any other identifiers for the purposes defined by attributes in this profile" which means that the IPC profile is technically in violation of the conformance criteria for the EC-US profile.
>
> I suggest that one of these profiles (I don't care which) defines the organization attribute and the other profile references that definition, or that both profiles define the attribute using the same identifier (and ideally, acknowledge that the other profile contains an identical definition).
>
> Regards,
> Steven
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-help@lists.oasis-open.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-help@lists.oasis-open.org



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]