[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Transcript of XACML questions/answers
Anne and Hal, Thank you both again for taking an hour of your evening to attend our call on Monday. It was very widely appreciated by everyone on the TC, whose understanding for XAMCL was considerably increased. Following are my own relative brief transcriptions of your answers for those XDI TC members who could not make the call. Feel free to elaborate on any of them if I missed key points. Thank you again, =Drummond TRANSCRIPT OF XAMCL Q&A FROM XDI TC 4/19 TELECON WITH ANNE ANDERSON & HAL LOCKHART * How do you pronounce "XACML"? (Is it "Ex-akML" or "ZakML" - we've heard both.) Hal: Mostly "Egg-ackML", but there is no one true way. * Does XACML only work against XML-described resources, i.e., XML documents, or can it provide access control for any URI-identifiable resource? Hal: It can work against any resource that is either URI or XPath addressable. * At first reading it's not clear exactly how XACML reference policies, policy elements, attributes, etc. It appears to use both URIs and XPath expressions. Is one or the other preferred? Are their other referencing mechanisms? Hal: It is mandatory that implementations support URIs (technically, it's an anyURI datatype). You can ALSO specify an XPath expression against the input context, but this is always optional. In practice, the specification frequently identifies actual attribute values with URNs. * How should we reconcile the XACML glossary definitions of "Resource" and "Subject" and the URI/XRI glossary definition of "Resource" (anything identifiable) which would include "Subjects"? What is the XACML equivalent of what the XRI & XDI glossary calls an "Authority" (a Resource that controls other Resources)? Hal: XAMCL deals with 4 broad categories of entities: Subjects (and their attributes), Resources (and their attributes), Actions (and their attributes), Environment (and their attributes). Resource is most important, Action is second most important. Anne: Probably the best reconciliation is that XACML classifies what URI/XRI calls "resources" into specific classes. A Subject must be a system entity, capable of having an authenticatable identity. Hal: The closest thing to an Authority is a PEP (Policy Enforcement Point.) * Given our description of XDI link contracts - XDI documents that govern the sharing of other XDI documents - is there a reason that XDI link contracts should favor: a) physically containing instances of the XACML policies the author wants to bind with specified data, or b) referencing those policies externally with XRIs? Or does it not matter? Hal: It doesn't matter The goal has been to allow implementations to be as flexible as possible. Trying to support PEPs and PDPs to be configured and distributed any way they want. Anne: If you look at the Sun open source implementation, it implements an PolicyFinder module. The identifier of a policy can be a URI; how the policy is resolved and returned is up to the implementation. Hal: This is subtle, but the information in the context can be used to determine the policies that apply. Since a policy can apply to many resources, it is up to the PEP to determine what policies may apply in a particular context. This specifically allows: a) decentralized administration of the policies, and b) dynamic decisionmaking about the policies. In many cases, the resource being requested and the other context inputs may be determined dynamically by the PEP and PDP, and may not be named explicitly in the request. * Clearly XACML policies are intended to be portable across an authority, such as a single enterprise. Are they also intended to be portable across authorities, such as across the members of a consortium? Hal: There has been lots of discussion about portability. There may be some limitations about policies being ported, but in general this should be possible. Anne: Example of a portable policy: the patient is allowed to read their own medical records. This could be structured to be portable. An example might be that a set of health-care policies are mandated by a legislative body, and then must be adopted by all the doctors and hospitals under its jurisdiction. * Obligations - how are they expressed? Hal: Using URIs. * How did the XACML TC develop it's policy combining algorithm? Hal: To his knowledge, it was new at the XACML TC. * Could an XACML policy be used to describe the usage controls on a shared piece of data? For example, could Authority A share Resource X (say a home phone number) with Authority B and have the link contract specify that Authority B may only allow access (in their own domain) to Resource X under XACML Policy Y? Hal: Yes, this should work, as long as they each have PDPs (policy decision points) that can process the policies. XACML 1.0 and 1.1 was developed around a fairly static model (policies pre-exist). 2.0 supports a more dynamic model. Anne: The two authorities could pass the policy between them. Hal: It would be more efficient for the policy providers to share the same policy by reference. Resources can have an attribute that is what the PDP looks for to apply that particular policy. * At the SIMC meeting in New York in February, Hal Lockhart mentioned that an XACML policy could be used to select the set of nodes in an XML document that satisfy that policy. Is this the case? (This could be enormously useful in XDI, as policies could be a particular efficient way of selecting subsets of data to be shared from a larger XDI document.) Hal: Yes, if a policy applies to a hierarchical resource, it can select specific nodes that satisfy the policy. The result will actually be an XML document that is compliant with the same schema as the source document. Note that this is not strictly an XAMCL feature, but something that can be implemented with XAMCL. * Do you see XRIs and XDI as one means of accomplishing the "policy referencing and retreival" and "attribute value resolution" processes that a PDP must execute in order to assemble a fully-resolved XACML authorization decision request? RAN OUT OF TIME DEFERRED THIS QUESTION TO A FUTURE SESSION * Are there other ways in which XRIs and XDI might be helpful to XACML? RAN OUT OF TIME DEFERRED THIS QUESTION TO A FUTURE SESSION * What is the status of XACML 2.0? When are the specifications expected? Should that be our target for compatibility? Hal: Trying to wrap up the 2.0 work this spring, with the goal of having 2.0 as a standard this fall. * Will XACML 2.0 be harmonized with SAML 2.0? Hal: There is a will to do that on both sides. In some cases the issues are on where does the work get done, and in some cases the issue is terminology and referencing. We expect that there will be progress, but they may not be in perfect harmony yet. Anne: There is already a SAML profile of XACML. Hal: This will allow digital signatures on policies and other security functions. * The XDI TC will be completing its requirements stage in early May and beginning specifications. How would you recommend the XDI TC work with the XACML TC to achieve the best synergy between our efforts? Hal: We should continue this dialog, starting in New Orleans, and review the XDI requirements when a draft is published.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]