OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-core message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Strawman core assertions 0.4

Title: RE: Final text of ballot
Phill - Apropo your second set of bullets, below ... (bullet 1) I believe it must be possible to specify an object "method", not just an object.  The policy for a particular object may vary by method (for example who is entitled to write a document may be different form who is entitled to read a document).  In addition, as evidenced by the XACML desire to include "content introspection", we'll have to be able to pass the actual object contents to the PDP, so that it can "introspect" it.  (Bullet 2) It should be possible to specify the Principal by name alone (for those cases where the role is not specified or not available, as discussed in your first set of bullets).  Best regards.  Tim.
-----Original Message-----
From: Philip Hallam-Baker [mailto:pbaker@verisign.com]
Sent: Wednesday, April 04, 2001 5:47 PM
To: 'security-core@lists.oasis-open.org'
Subject: Strawman core assertions 0.4

Attached is the latest draft in doc format. NB there is important information in the comments.
 
The key 'export' from this document would be section 3 and the references from section 4. All other text is simply there to help explain, position etc. The folk who write those sections of the document are welcome to use the text as a rough starting point draft should they choose to.
 
The draft is relatively coherent until we get to section 3.7 which is the actual claims section. Here the text needs to be clarified considerably. In particular:
 
By what methods do we specify the principal, i.e. the subject of the assertion. I believe we need to support as a minimum:
1) By mutually agreed name, which may be specified by a URI (making it unique in an inter-domain context)
2) An account identifier, I suspect we need this in addition to the name.
3) Authentication parameters specified by means of a ds:keyinfo element
 
By what methods are the resource(s) specified. I believe we must support as a minimum
1) A means of specifying a specific resource (so the PEP can query the PDP)
2) A means of specifying an unstructured attribute corresponding to a role (or similar) - expressed as a URI
3) A means of specifying a highly structured attribute (e.g. Equifax credit rating, exact details of which beyond our scope)
 
    Phill

Phillip Hallam-Baker
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC