[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Duplicate Organization Attribute in EC-US and IPC Profiles
Hi Rich, Ambiguity wasn't the issue. There are already two distinct organization attributes that we can tell apart. The discussion is about whether they mean the same thing (in which case only one identifier is necessary). In both cases the organization attribute indicates an association between the subject and an organization. The IPC profile describes two particular kinds of association, employee or contractor, but allows that there may be more. The EC-US profile says employee or agent without suggesting that there may be other kinds. Without being familiar with the problem spaces, it seems to me that the attributes are the same, and will typically have the same values, but not always. For example, "customer" might be a valid association for IPC, but irrelevant for EC-US. The difference needs to be reflected somehow and different attribute identifiers is one way to do it. If one believes that IPC and EC-US are always evaluated independently (different PEPs sending different requests to different PDPs using different policies), then there is no need for two different identifiers for organization; the two will never meet. Jean-Paul thinks there is a case for using IPC and EC-US together and I am inclined to agree with him, but that means a distinction needs to be made. I note the affiliation-type attribute in the IPC draft is problematic when the organization and affiliation-type attributes are both multi-valued because there is no way to align particular values of affiliation-type with particular values of organization. An application could solve that problem by using multiple requests. That is, one request for each value of organization with the appropriate value for affiliation-type in each case. If EC-US also uses affiliation-type (i.e., the same attribute!), then IPC and EC-US could easily co-exist in such a scenario with a single organization attribute. EC-US policies would only be applicable for requests where the affiliation-type is relevant to EC (so paying attention to "employee" and "contractor", but ignoring "customer"). An alternative to one request for each organization value is to define a separate attribute for each type of affiliation and use a single request. So instead of having organization and affiliation-type attributes, have employee-of-organization, contractor-of-organization, customer-of-organization and so on. IPC and EC-US would share these attributes. A subject could be an employee of one organization, contracted to another organization, and a customer of several other organizations and it would be clear what the affiliation to each organization is. EC-US policies would most likely only pay attention to the employee-of-organization and contractor-of-organization attributes. Regards, Steven On 13/09/2012 6:28 AM, rich levinson wrote:
Hi John, Richard, Steven, Jean-Paul, and Ray, I mentioned at last week's mtg that a common repository of attr defns would be very helpful to resolve issues where 2 profiles want to "share" the same attribute defn: https://lists.oasis-open.org/archives/xacml/201209/msg00015.html Ray also followed up to the original issue w a comment along similar lines: https://lists.oasis-open.org/archives/xacml/201209/msg00013.html where it sounds like the IANA registry is already positioned to provide this type of service. However, Richard Hill sent a clarifying email indicating that there were actually 2 distinct attributes defined: https://lists.oasis-open.org/archives/xacml/201209/msg00016.html urn:oasis:names:tc:xacml:3.0:ipc:subject:organization urn:oasis:names:tc:xacml:3.0:ec-us:subject:organization Assuming that is the case and the attributes are distinct within the profiles and make no refs to the other profile, and have a profile-specific defn, then I think the uniqueness of the URN should be sufficient to disambiguate. For example, in general, if there are 2 profiles: profile-1 and profile-2, which may or may not have anything to do with each other in practice, and are intended to be used independently, then I don't see any problem if within their local namespace, they use attr names that are identical to attr names in the other namespace. i.e. urn:oasis:xacml:profile-001:name, and urn:oasis:xacml:profile-002:name In the above case, each profile has a local attr named "name". However, at a global cross-namespace level, one should not use local names, but instead use the full URN as listed above w all the prefix info. If that rule is followed as a general matter, then there should be no confusion, as long as the prefix info is unique, there is no ambiguity w equal local names. Thanks, Rich On 9/12/2012 2:20 PM, Jean-Paul Buu-Sao wrote:John, Richard, I agree with Steven. The profiles must make use (and reuse) of generic names (i.e. names that are not policy specific) as far as they can. IPC and EC profiles need to refer to the subject organization, which is a notion that is not policy specific. Hence I suggest urn:oasis:names:tc:xacml:3.0:subject:organization instead of the two variants that you propose. Additionally, why do you say that the Export and IP access control decisions should be evaluated independently? A very common situation, in the A&D arena, is that a resource will have multiple information protection policies attached to, such as a TAA (from ITAR export policy) and a PIEA (from a company IP policy). In this case access to the document is granted only if all access rules of all applicable policies permit. This is an AND that needs to be performed, requiring a dependent access decision evaluation. Jean-Paul -----Original Message----- From:xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Tolbert, John W Sent: Wednesday, September 12, 2012 19:53 To: Steven Legg; Richard Hill Cc: XACML-TC-mailinglist Subject: RE: [xacml] Duplicate Organization Attribute in EC-US and IPC Profiles Generally, export and IP access control decisions should be evaluated independently. The "SHALL NOT" language from the Conformance section is common to other profiles, and is only intended to promote interoperability, so I don't foresee a conflict in this area. Thoughts? -----Original Message----- From:xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Steven Legg Sent: Thursday, September 06, 2012 11:08 PM To: Hill, Richard C Cc: XACML-TC-mailinglist Subject: Re: [xacml] Duplicate Organization Attribute in EC-US and IPC Profiles Hi Richard, On 7/09/2012 10:44 AM, Hill, Richard C wrote:Just some thoughts to consider: The IPC 'organization' attribute relates to an IP agreement, while the EC-US 'organization' attribute relates to an export license. These are two separate contexts. In the case were both IP and Export contexts are contained in the same XACML request; it would be good to be able to differentiate between the two. Additionally, there shouldn't be any conflicts using both 'organization' attributes in the same XACML request or policy since their urn's are both unique. The IPC urn contains 'ipc' and the EC-US urn contains 'ec-us'. urn:oasis:names:tc:xacml:3.0:ipc:subject:organization urn:oasis:names:tc:xacml:3.0:ec-us:subject:organization Using a generic 'organization' attribute that could be used interchangeably between IPC or EC-US (or anywhere else for that matter) would require an additional attribute (e.g. 'organization-context') to be used to indicate whether the 'organization' attribute refers to an IP or Export context. In the case where both IP and Export contexts are contained in the same XACML request it would be difficult to know which of the two generic 'organization' attributes (one for IP and one for Export) corresponds to the correct 'organization-context' attribute.The key question is whether the values of the organization attribute would be different in both contexts. On re-reading I see that the IPC profile allows a wider range of possible associations between the subject and the subject's organization than would likely be the case with the EC-US profile, so on that basis separate attributes are required to allow differing sets of values. However, the values will often be the same or overlap so I still think that "SHALL NOT use any other identifiers for the purposes defined by attributes in this profile" puts both profiles in violation of each other. The quoted text should be struck out of both profiles. Regards, StevenThanks, Richard Hill -----Original Message----- From:xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Steven Legg Sent: Wednesday, September 05, 2012 5:35 PM To: XACML-TC-mailinglist Subject: [xacml] Duplicate Organization Attribute in EC-US and IPC Profiles The IPC profile and the EC-US profile both define an organization subject attribute, apparently for the same purpose, but with different identifiers. A conformant implementation or deployment supporting both profiles simultaneously would be obliged to redundantly provide a subject's organization in both of these attributes. Furthermore, the EC-US profile says in section 5.1 that policies and requests "SHALL NOT use any other identifiers for the purposes defined by attributes in this profile" which means that the IPC profile is technically in violation of the conformance criteria for the EC-US profile. I suggest that one of these profiles (I don't care which) defines the organization attribute and the other profile references that definition, or that both profiles define the attribute using the same identifier (and ideally, acknowledge that the other profile contains an identical definition). Regards, Steven --------------------------------------------------------------------- To unsubscribe, e-mail:xacml-unsubscribe@lists.oasis-open.org For additional commands, e-mail:xacml-help@lists.oasis-open.org--------------------------------------------------------------------- To unsubscribe, e-mail:xacml-unsubscribe@lists.oasis-open.org For additional commands, e-mail:xacml-help@lists.oasis-open.org --------------------------------------------------------------------- To unsubscribe, e-mail:xacml-unsubscribe@lists.oasis-open.org For additional commands, e-mail:xacml-help@lists.oasis-open.org --------------------------------------------------------------------- To unsubscribe, e-mail:xacml-unsubscribe@lists.oasis-open.org For additional commands, e-mail:xacml-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]