Re: [xacml] Groups - xacml-3.0-dlp-nac-v1.0-wd07-SL.doc uploaded

[Steven Legg <steven.legg@viewds.com>]

Hi John,

On 15/07/2014 8:13 AM, Tolbert, John W wrote:
> Hi Steven,
>
> Thanks for putting this draft together.  I like the Subject-Security-Domain attribute name better.

I decided it was a better use of our time if I just showed what I was talking about
with a revised draft, rather than further discussion, even if you end up rejecting
the approach.

Also, please disregard the comment in the normative references section. Earlier
versions of XACML can use this profile by putting the subject category in the
SubjectCategory XML attribute of the <Subject> element (which is also a supporting
argument for defining recipient-machine as a new subject-category).

> I do have a question about the flattening of the various “…subject-id” attributes – in a complex request, how would the PDP / Context handler treat multiple subject-id name/value pairs?  How would they be associated with access subject vs. recipient subject vs. recipient machine?

From the PDP and context handler perspective, each (category, attribute-id, data-type)
combination is a distinctly different XACML attribute. There is nothing special
about (attribute-id, data-type) pairs. Two triplets that have the same attribute-id
and data-type but different categories are still different, unrelated XACML
attributes.

Ordinarily I would expect the PEP to supply at least the (access-subject, subject-id, ?),
(requesting-machine, subject-id, ?), (recipient-subject, subject-id, ?) and/or
(recipient-machine, subject-id, ?) attribute values. The job of the context handler
is then to look up the other attributes of these entities using the various subject-id
values as keys. How the context handler is configured to do that is implementation
specific, but in the case of ViewDS, we configure where the context handler will
look for attributes on a per-triplet basis. An implementation with per-triplet
configuration could potentially, for example, source (access-subject, *, *) and
(recipient-subject, *, *) attributes from an HR LDAP directory using (access-subject,
subject-id, ?) and (recipient-subject, subject-id, ?), respectively, as keys.
Meanwhile, (requesting-machine, *, *) and (recipient-machine, *, *) attributes could
be sourced from a network database using (requesting-machine, subject-id, ?) and
(recipient-machine, subject-id, ?), respectively, as keys.

The concept of using the same attribute-id across a number of categories is
already established in the XACML core specification for subject attributes and
subject categories. An implementation could configure its context handler with
respect to (attribute-id, data-type) pairs, but it would be limiting its flexibility
somewhat with respect to the XACML core specification, let alone the DLP-NAC
profile.

Regards,
Steven

> Thanks
>
> *From:*xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] *On Behalf Of *Steven Legg
> *Sent:* Thursday, July 10, 2014 6:20 PM
> *To:* xacml@lists.oasis-open.org
> *Subject:* [xacml] Groups - xacml-3.0-dlp-nac-v1.0-wd07-SL.doc uploaded
>
> /Submitter's message/
> This is an updated and change-marked version of DLP-NAC WD-07 taking into account my suggestions in https://www.oasis-open.org/apps/org/workgroup/xacml/email/archives/201406/msg00029.html. Note the comments for consideration. I trust this is easier to get one's head around. I didn't invoke the entities profile because the use cases presented aren't complex enough to warrant it.
> -- Dr. Steven Legg
>
> *Document Name*: xacml-3.0-dlp-nac-v1.0-wd07-SL.doc <https://www.oasis-open.org/apps/org/workgroup/xacml/document.php?document_id=53582>
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--
> *Description*
> This is an updated and change-marked version of DLP-NAC WD-07 taking into
> account the suggestions in
> https://www.oasis-open.org/apps/org/workgroup/xacml/email/archives/201406/msg00029.html
> .
> Download Latest Revision <https://www.oasis-open.org/apps/org/workgroup/xacml/download.php/53582/latest/xacml-3.0-dlp-nac-v1.0-wd07-SL.doc>
> Public Download Link <https://www.oasis-open.org/committees/document.php?document_id=53582&wg_abbrev=xacml>
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--
> *Submitter*: Dr. Steven Legg
> *Group*: OASIS eXtensible Access Control Markup Language (XACML) TC
> *Folder*: repository
> *Date submitted*: 2014-07-10 18:19:36