[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Groups - xacml-3.0-administration-v1.0-wd30-diff.doc uploaded
Hi Hal, On 31/10/2014 5:43 AM, Hal Lockhart wrote:
OK. Can one of you guys propose specific text for Section 4.10?
Here you go.
A policy, P, that evaluated to “Indeterminate{DP}”, “Indeterminate{P}” or “Indeterminate{D}” in the policy set, MUST be reduced as follows in this section.
Form a reduction graph as described in section 4.7.
If and only if policy P evaluated to “Indeterminate{DP}”, perform two graph searches. For the first search, start from the node corresponding to policy P and follow only PP and PI edges. For the second search, start from the node corresponding to policy P and follow only DP and DI edges. If both searches reach a node that corresponds to a trusted policy (not necessarily the same node), then policy P is treated as “Indeterminate{DP}” in combination of the policy set; otherwise, if only the first search reaches a node that corresponds to a trusted policy, then policy P is treated as “Indeterminate{P}” in combination of the policy set; otherwise, if only the second search reaches a node that corresponds to a trusted policy, then policy P is treated as “Indeterminate{D}” in combination of the policy set; otherwise, policy P is treated as “NotApplicable” in combination of the policy set.
If and only if policy P evaluated to “Indeterminate{P}”, start a graph search from the node corresponding to policy P following only PP and PI edges. If it is possible to reach a node that corresponds to a trusted policy, then policy P is treated as “Indeterminate{P}” in combination of the policy set; otherwise, policy P is treated as “NotApplicable” in combination of the policy set.
If and only if policy P evaluated to “Indeterminate{D}”, start a graph search from the node corresponding to policy P following only DP and DI edges. If it is possible to reach a node that corresponds to a trusted policy, then policy P is treated as “Indeterminate{D}” in combination of the policy set; otherwise, policy P is treated as “NotApplicable” in combination of the policy set.
The following paragraphs are retained unchanged.
In all graph searches, the maximum delegation depth limit MUST be checked as described in section 4.11.
In all graph searches obligations must be collected as described in section 4.12.
Note (non-normative): This process is designed in this way because it is important to reduce “Indeterminate” results before combining them. An unauthorized “Indeterminate” can be used as an attack by forcing the PEP into error handling, and possibly denying or allowing access depending on the bias of the PEP. Intuitively we test if the policy would be authorized if it would have been “Permit” or “Deny”. If neither a “Permit” nor a “Deny” would have been authorized, the policy is not authorized, so the “Indeterminate” is discarded.
To be consistent, this statement in sections 4.9 and 4.10:
If it was not possible to reach a trusted policy with either search, the policy P is discarded and not combined in the policy set.
should be changed to:
If it was not possible to reach a trusted policy with either search, the policy P is treated as “NotApplicable” in combination of the policy set.
Regards,
Steven
Hal-----Original Message----- From: Steven Legg [mailto:steven.legg@viewds.com] Sent: Thursday, October 30, 2014 2:24 AM To: Erik Rissanen; Hal Lockhart; xacml@lists.oasis-open.org Subject: Re: [xacml] Groups - xacml-3.0-administration-v1.0-wd30- diff.doc uploaded Hi Erik & Hal, On 30/10/2014 12:59 AM, Erik Rissanen wrote:Hi Hal, Thanks. I understand the intent and it's correct as I can see.Section 4.10 could perhaps be formulated in a more clear manner by structuring it based on the three indeterminate cases: I agree, especially in regard to describing the extended indeterminate value for policy P, which the new draft doesn't do.Indet{DP}: first follow PP or PI edges. Then search again and followDP or DI edges. If both searches are successful, then policy P is treated as "Indeterminate{DP}"; otherwise, if only the first search is successful, then policy P is treated as "Indeterminate{P}"; otherwise, if only the second search is successful, then policy P is treated as "Indeterminate{D}"; otherwise, policy P is treated as "NotApplicable". Note that the current text talks about discarding policy P when graph searches fail, but combining algorithm definitions have cases for policies that are "NotApplicable" rather than cases for policies that are discarded, so I think it is more appropriate in this profile to use 'treated as "NotApplicable"' instead of 'discarded'.Indet{P}: search once and follow PP or PI edgesAnd if the search is successful, then policy P is treated as "Indeterminate{P}"; otherwise, policy P is treated as "NotApplicable".Indet{D}: search once and follow DP or DI edges.And if the search is successful, then policy P is treated as "Indeterminate{D}"; otherwise, policy P is treated as "NotApplicable". In section 4.8, this statement: "If it possible to reach a trusted policy in this manner, the policy P is treated as "Indeterminate" in combination of the policy set." should read: "If it is possible to reach a trusted policy in this manner, the policy P is treated as "Indeterminate{P}" in combination of the policy set." Note also the missing "is". In section 4.9, this statement: "If it possible to reach a trusted policy in this manner, the policy P is treated as "Indeterminate" in combination of the policy set." should read: "If it is possible to reach a trusted policy in this manner, the policy P is treated as "Indeterminate{D}" in combination of the policy set." Regards, StevenBest regards, Erik On 2014-10-28 20:10, Hal Lockhart wrote:The new text is based on Steven's comments from June 2011: https://lists.oasis-open.org/archives/xacml-comment/201106/msg00004.html See Issue 98 in the wiki. Please check to see if I got it right. Hal *From:*Erik Rissanen [mailto:erik@axiomatics.com] *Sent:* Tuesday, October 28, 2014 10:38 AM *To:* xacml@lists.oasis-open.org *Subject:* Re: [xacml] Groups - xacml-3.0-administration-v1.0-wd30-diff.doc uploaded Hi Hal, I did a quick review and most of the changes are fine I think. Theone to be careful about I guess is the extended indeterminate in the reduction algorithm. Was there previous discussion about that on the list, which could be reviewed to understand the thinking behind the solution?Best regards, Erik On 2014-10-17 17:41, Hal Lockhart wrote: /Submitter's message/ Diff file -- Hal Lockhart *Document Name*: xacml-3.0-administration-v1.0-wd30-diff.doc <https://www.oasis-open.org/apps/org/workgroup/xacml/document.php?document_id=54337> --------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ------------------------------------------------------------------! --------*Description* Differences between WD 29 and WD 30 Download Latest Revision <https://www.oasis-open.org/apps/org/workgroup/xacml/download.php/54337/latest/xacml-3.0- administration-v1.0-wd30-diff.doc>Public Download Link <https://www.oasis-open.org/committees/document.php?document_id=54337&wg_abbrev=xacml> --------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ------------------------------------------------------------------! --------*Submitter*: Hal Lockhart *Group*: OASIS eXtensible Access Control Markup Language (XACML)TC*Folder*: Specifications and Working Drafts *Date submitted*: 2014-10-17 08:41:02
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]