OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: Resource sets and resource string semantics


Nigel,
 
> The intent of this assertion is to specify authorizations associated
> with Alice's account.
> 
> Suppose I want to issue an assertion allowing Alice to access all
> resources on a large web site with a dynamic resource set,
> e.g. http://www.hp.com/ 
> 
> Clearly it is not possible to enumerate the entire resource set. So
> how do we handle this case?
> 
> It occurs to me that some may feel that this sort of assertion should
> be considered by XACML, rather than SAML. I guess one possible
> resolution is to leave it to XACML.

I don't understand the use case you have in mind. SAML is not a policy
provisioning protocol. What sort of request might Alice have made to suggest
to the PEP that she might want to access all of www.hp.com? In the normal
case, there will be thousands of pages she can access and thousands she
cannot. Even with a really general language to express resources, e.g. reg
exp, It's going to be a long list.

It sounds to me that what you really ought to do is operate a PDP, which
receives Attribute Assertions (and perhaps Authorization Assertions) and
makes a decision whether to allow access. A PEP is supposed to be quite
simple.

> A related issue is the semantics of resource strings. I believe we
> need to define what these are. Suppose one of the <Resource> elements
> contains the following: http://www.hp.com/ 
> 
> What are the semantics: the home page or everything under it? 
> In my opinion
> serious security issues will arise if the asserting party and relying
> party apply different semantics.

Certainly this is something that the specification should make unambigious.

Hal


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC