[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Duplicate Organization Attribute in EC-US and IPC Profiles
Hi John, Richard, Steven, Jean-Paul, and Ray, I mentioned at last week's mtg that a common repository of attr defns would be very helpful to resolve issues where 2 profiles want to "share" the same attribute defn: https://lists.oasis-open.org/archives/xacml/201209/msg00015.html Ray also followed up to the original issue w a comment along similar lines: https://lists.oasis-open.org/archives/xacml/201209/msg00013.html where it sounds like the IANA registry is already positioned to provide this type of service. However, Richard Hill sent a clarifying email indicating that there were actually 2 distinct attributes defined: https://lists.oasis-open.org/archives/xacml/201209/msg00016.html urn:oasis:names:tc:xacml:3.0:ipc:subject:organizationAssuming that is the case and the attributes are distinct within the profiles and make no refs to the other profile, and have a profile-specific defn, then I think the uniqueness of the URN should be sufficient to disambiguate. For example, in general, if there are 2 profiles: profile-1 and profile-2, which may or may not have anything to do with each other in practice, and are intended to be used independently, then I don't see any problem if within their local namespace, they use attr names that are identical to attr names in the other namespace. i.e. urn:oasis:xacml:profile-001:name, andIn the above case, each profile has a local attr named "name". However, at a global cross-namespace level, one should not use local names, but instead use the full URN as listed above w all the prefix info. If that rule is followed as a general matter, then there should be no confusion, as long as the prefix info is unique, there is no ambiguity w equal local names. Thanks, Rich On 9/12/2012 2:20 PM, Jean-Paul Buu-Sao wrote: John, Richard, I agree with Steven. The profiles must make use (and reuse) of generic names (i.e. names that are not policy specific) as far as they can. IPC and EC profiles need to refer to the subject organization, which is a notion that is not policy specific. Hence I suggest urn:oasis:names:tc:xacml:3.0:subject:organization instead of the two variants that you propose. Additionally, why do you say that the Export and IP access control decisions should be evaluated independently? A very common situation, in the A&D arena, is that a resource will have multiple information protection policies attached to, such as a TAA (from ITAR export policy) and a PIEA (from a company IP policy). In this case access to the document is granted only if all access rules of all applicable policies permit. This is an AND that needs to be performed, requiring a dependent access decision evaluation. Jean-Paul -----Original Message----- From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Tolbert, John W Sent: Wednesday, September 12, 2012 19:53 To: Steven Legg; Richard Hill Cc: XACML-TC-mailinglist Subject: RE: [xacml] Duplicate Organization Attribute in EC-US and IPC Profiles Generally, export and IP access control decisions should be evaluated independently. The "SHALL NOT" language from the Conformance section is common to other profiles, and is only intended to promote interoperability, so I don't foresee a conflict in this area. Thoughts? -----Original Message----- From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Steven Legg Sent: Thursday, September 06, 2012 11:08 PM To: Hill, Richard C Cc: XACML-TC-mailinglist Subject: Re: [xacml] Duplicate Organization Attribute in EC-US and IPC Profiles Hi Richard, On 7/09/2012 10:44 AM, Hill, Richard C wrote:Just some thoughts to consider: The IPC 'organization' attribute relates to an IP agreement, while the EC-US 'organization' attribute relates to an export license. These are two separate contexts. In the case were both IP and Export contexts are contained in the same XACML request; it would be good to be able to differentiate between the two. Additionally, there shouldn't be any conflicts using both 'organization' attributes in the same XACML request or policy since their urn's are both unique. The IPC urn contains 'ipc' and the EC-US urn contains 'ec-us'. urn:oasis:names:tc:xacml:3.0:ipc:subject:organization urn:oasis:names:tc:xacml:3.0:ec-us:subject:organization Using a generic 'organization' attribute that could be used interchangeably between IPC or EC-US (or anywhere else for that matter) would require an additional attribute (e.g. 'organization-context') to be used to indicate whether the 'organization' attribute refers to an IP or Export context. In the case where both IP and Export contexts are contained in the same XACML request it would be difficult to know which of the two generic 'organization' attributes (one for IP and one for Export) corresponds to the correct 'organization-context' attribute.The key question is whether the values of the organization attribute would be different in both contexts. On re-reading I see that the IPC profile allows a wider range of possible associations between the subject and the subject's organization than would likely be the case with the EC-US profile, so on that basis separate attributes are required to allow differing sets of values. However, the values will often be the same or overlap so I still think that "SHALL NOT use any other identifiers for the purposes defined by attributes in this profile" puts both profiles in violation of each other. The quoted text should be struck out of both profiles. Regards, StevenThanks, Richard Hill -----Original Message----- From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Steven Legg Sent: Wednesday, September 05, 2012 5:35 PM To: XACML-TC-mailinglist Subject: [xacml] Duplicate Organization Attribute in EC-US and IPC Profiles The IPC profile and the EC-US profile both define an organization subject attribute, apparently for the same purpose, but with different identifiers. A conformant implementation or deployment supporting both profiles simultaneously would be obliged to redundantly provide a subject's organization in both of these attributes. Furthermore, the EC-US profile says in section 5.1 that policies and requests "SHALL NOT use any other identifiers for the purposes defined by attributes in this profile" which means that the IPC profile is technically in violation of the conformance criteria for the EC-US profile. I suggest that one of these profiles (I don't care which) defines the organization attribute and the other profile references that definition, or that both profiles define the attribute using the same identifier (and ideally, acknowledge that the other profile contains an identical definition). Regards, Steven --------------------------------------------------------------------- To unsubscribe, e-mail: xacml-unsubscribe@lists.oasis-open.org For additional commands, e-mail: xacml-help@lists.oasis-open.org--------------------------------------------------------------------- To unsubscribe, e-mail: xacml-unsubscribe@lists.oasis-open.org For additional commands, e-mail: xacml-help@lists.oasis-open.org --------------------------------------------------------------------- To unsubscribe, e-mail: xacml-unsubscribe@lists.oasis-open.org For additional commands, e-mail: xacml-help@lists.oasis-open.org --------------------------------------------------------------------- To unsubscribe, e-mail: xacml-unsubscribe@lists.oasis-open.org For additional commands, e-mail: xacml-help@lists.oasis-open.org |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]