OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: Resource sets and resource string semantics



All resources on the HP web site ???

How about http://www.hp.com/*

or if we want to avoid any possibility of collision (although * is a
reserved URI character):

http://www.hp.com/ *

Or we could use an XPATH statement - maybe Eve can fill us in???

The way I would see the conversation going is:

PEP: Can Alice access http://www.hp.com/finance/fred.xls 
PDP: Yes, and Alice can access http://www.hp.com/*

PEP: Can Alice access http://www.hp.com/finance/mary.xls
PEP-Cache: Yes

I don't like the idea of unconstrained wildcard matching etc. However simple
hierarchical partitioning is probably enough for what we need. After all the
admin will probably organize directories so that the wildcards match
cleanly.


Note that another possibility is that the PEP is not a file system. If the
access control policy or permissions/whathaveyou are embedded in the
resource the PEP may be asking a question of the form 'Does Alice have the
Role X' or 'Does Alice have any resources in the set ..../*'

	Phill

Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227


> -----Original Message-----
> From: Edwards, Nigel [mailto:Nigel_Edwards@hp.com]
> Sent: Friday, May 04, 2001 2:29 PM
> To: 'Hal Lockhart'; Edwards, Nigel;
> security-services@lists.oasis-open.org
> Subject: RE: Resource sets and resource string semantics
> 
> 
> Hi Hal,
> I should have made it more clear that I am worring about the kind
> of interaction that make take place between an Attribute Authority
> and a PDP, rather than a PDP and a PEP.
> 
> Sorry about that,
> Nigel.
> 
> > -----Original Message-----
> > From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
> > Sent: 04 May 2001 16:56
> > To: 'Edwards, Nigel'; security-services@lists.oasis-open.org
> > Subject: RE: Resource sets and resource string semantics
> > 
> > 
> > Nigel,
> >  
> > > The intent of this assertion is to specify authorizations 
> associated
> > > with Alice's account.
> > > 
> > > Suppose I want to issue an assertion allowing Alice to access all
> > > resources on a large web site with a dynamic resource set,
> > > e.g. http://www.hp.com/ 
> > > 
> > > Clearly it is not possible to enumerate the entire 
> resource set. So
> > > how do we handle this case?
> > > 
> > > It occurs to me that some may feel that this sort of 
> > assertion should
> > > be considered by XACML, rather than SAML. I guess one possible
> > > resolution is to leave it to XACML.
> > 
> > I don't understand the use case you have in mind. SAML is 
> not a policy
> > provisioning protocol. What sort of request might Alice have 
> > made to suggest
> > to the PEP that she might want to access all of www.hp.com? 
> > In the normal
> > case, there will be thousands of pages she can access and 
> > thousands she
> > cannot. Even with a really general language to express 
> > resources, e.g. reg
> > exp, It's going to be a long list.
> > 
> > It sounds to me that what you really ought to do is operate a 
> > PDP, which
> > receives Attribute Assertions (and perhaps Authorization 
> > Assertions) and
> > makes a decision whether to allow access. A PEP is supposed 
> > to be quite
> > simple.
> > 
> > > A related issue is the semantics of resource strings. I believe we
> > > need to define what these are. Suppose one of the 
> > <Resource> elements
> > > contains the following: http://www.hp.com/ 
> > > 
> > > What are the semantics: the home page or everything under it? 
> > > In my opinion
> > > serious security issues will arise if the asserting party 
> > and relying
> > > party apply different semantics.
> > 
> > Certainly this is something that the specification should 
> > make unambigious.
> > 
> > Hal
> > 
> > ------------------------------------------------------------------
> > To unsubscribe from this elist send a message with the single word
> > "unsubscribe" in the body to: 
> > security-services-request@lists.oasis-open.org
> > 
> 
> ------------------------------------------------------------------
> To unsubscribe from this elist send a message with the single word
> "unsubscribe" in the body to: 
> security-services-request@lists.oasis-open.org
> 

Phillip Hallam-Baker (E-mail).vcf



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC