Reactivating the Admin & Delegation discussion

[Hal Lockhart <hal.lockhart@oracle.com>]

To review: WD 31 & 32 of the A&D Profile resolved issues 95, 96, 98, 100 & 101. 

This version (CSD04) is under public review until Feb 11. The intention of the TC is to move this Profile to CS and no further. This will allow people who have already implemented it to claim conformance, but make it easier for people who don't see the need for it to skip it and also to indicate that the TC believes the Profile could still be improved.

I now turn to the remaining issues, including 94, 97 & 99. Speaking as an individual, I generally agree with Steven on the following points.

1. Policies should either be Access Policies or Admin Policies, but never both.
2. The distinction between them should be made at the schema level. (The prefixing scheme is broken.) This is best done by subclassing PolicySetType and PolicyType.
3. Admin policies should be able to authorize polices not only in the same PolicySet, but also in any enclosed Policy or PolicySet. In other words, Admin policies may appear in the same PolicySet or any PolicySet closer to the root than the Policies they authorized.

I also believe as a matter of logic and common sense.

4. No Admin Policy or PolicySet should be able to authorize itself.
5. No Admin Policy or PolicySet should appear more than once in a valid authorization tree. In other words, there be no cycles in the delegation chain.

Now the main concern I have is as follows. In a previous message Erik seemed to suggest that any reduction algorithm which matches our intuitive sense of how the A&D scheme should work will necessarily be NP-complete. That is to say the work factor will increase exponentially as a function of the number of Admin Policies.

As I understand it, this is simply a consequence of the fact that since the delegation chain depends the situation of the original request, the and the contents of each policy we are trying to authorize, in principle, we need to check every Admin Policy at every step in the reduction process. #4 above helps a little, but does not change the shape of the curve.

Erik can you confirm that this is true?

If this is the case, I am inclined to do no more work on the Profile. What do others think?

Hal