RE: Resource sets and resource string semantics

["Platt, Darren" <dplatt@securant.com>]

> PEP: Can Alice access http://www.hp.com/finance/fred.xls 
> PDP: Yes, and Alice can access http://www.hp.com/*

I don't think we should be passing policy back with the authorization
decision. 


> Note that another possibility is that the PEP is not a file 
> system. If the
> access control policy or permissions/whathaveyou are embedded in the
> resource the PEP may be asking a question of the form 'Does 
> Alice have the
> Role X' or 'Does Alice have any resources in the set ..../*'

It is my understanding that the consensus of the TC was that a PDP did not
know how to make decisions, and would therefore not interact in this way.
This seems to be a PDP/PEP combination.

Regards,

Darren




> -----Original Message-----
> From: Philip Hallam-Baker [mailto:pbaker@verisign.com]
> Sent: Friday, May 04, 2001 12:24 PM
> To: 'Edwards, Nigel'; 'Hal Lockhart';
> security-services@lists.oasis-open.org
> Subject: RE: Resource sets and resource string semantics
> 
> 
> 
> All resources on the HP web site ???
> 
> How about http://www.hp.com/*
> 
> or if we want to avoid any possibility of collision (although * is a
> reserved URI character):
> 
> http://www.hp.com/ *
> 
> Or we could use an XPATH statement - maybe Eve can fill us in???
> 
> The way I would see the conversation going is:
> 
> PEP: Can Alice access http://www.hp.com/finance/fred.xls 
> PDP: Yes, and Alice can access http://www.hp.com/*
> 
> PEP: Can Alice access http://www.hp.com/finance/mary.xls
> PEP-Cache: Yes
> 
> I don't like the idea of unconstrained wildcard matching etc. 
> However simple
> hierarchical partitioning is probably enough for what we 
> need. After all the
> admin will probably organize directories so that the wildcards match
> cleanly.
> 
> 
> Note that another possibility is that the PEP is not a file 
> system. If the
> access control policy or permissions/whathaveyou are embedded in the
> resource the PEP may be asking a question of the form 'Does 
> Alice have the
> Role X' or 'Does Alice have any resources in the set ..../*'
> 
> 	Phill
> 
> Phillip Hallam-Baker FBCS C.Eng.
> Principal Scientist
> VeriSign Inc.
> pbaker@verisign.com
> 781 245 6996 x227
> 
> 
> > -----Original Message-----
> > From: Edwards, Nigel [mailto:Nigel_Edwards@hp.com]
> > Sent: Friday, May 04, 2001 2:29 PM
> > To: 'Hal Lockhart'; Edwards, Nigel;
> > security-services@lists.oasis-open.org
> > Subject: RE: Resource sets and resource string semantics
> > 
> > 
> > Hi Hal,
> > I should have made it more clear that I am worring about the kind
> > of interaction that make take place between an Attribute Authority
> > and a PDP, rather than a PDP and a PEP.
> > 
> > Sorry about that,
> > Nigel.
> > 
> > > -----Original Message-----
> > > From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
> > > Sent: 04 May 2001 16:56
> > > To: 'Edwards, Nigel'; security-services@lists.oasis-open.org
> > > Subject: RE: Resource sets and resource string semantics
> > > 
> > > 
> > > Nigel,
> > >  
> > > > The intent of this assertion is to specify authorizations 
> > associated
> > > > with Alice's account.
> > > > 
> > > > Suppose I want to issue an assertion allowing Alice to 
> access all
> > > > resources on a large web site with a dynamic resource set,
> > > > e.g. http://www.hp.com/ 
> > > > 
> > > > Clearly it is not possible to enumerate the entire 
> > resource set. So
> > > > how do we handle this case?
> > > > 
> > > > It occurs to me that some may feel that this sort of 
> > > assertion should
> > > > be considered by XACML, rather than SAML. I guess one possible
> > > > resolution is to leave it to XACML.
> > > 
> > > I don't understand the use case you have in mind. SAML is 
> > not a policy
> > > provisioning protocol. What sort of request might Alice have 
> > > made to suggest
> > > to the PEP that she might want to access all of www.hp.com? 
> > > In the normal
> > > case, there will be thousands of pages she can access and 
> > > thousands she
> > > cannot. Even with a really general language to express 
> > > resources, e.g. reg
> > > exp, It's going to be a long list.
> > > 
> > > It sounds to me that what you really ought to do is operate a 
> > > PDP, which
> > > receives Attribute Assertions (and perhaps Authorization 
> > > Assertions) and
> > > makes a decision whether to allow access. A PEP is supposed 
> > > to be quite
> > > simple.
> > > 
> > > > A related issue is the semantics of resource strings. I 
> believe we
> > > > need to define what these are. Suppose one of the 
> > > <Resource> elements
> > > > contains the following: http://www.hp.com/ 
> > > > 
> > > > What are the semantics: the home page or everything under it? 
> > > > In my opinion
> > > > serious security issues will arise if the asserting party 
> > > and relying
> > > > party apply different semantics.
> > > 
> > > Certainly this is something that the specification should 
> > > make unambigious.
> > > 
> > > Hal
> > > 
> > > ------------------------------------------------------------------
> > > To unsubscribe from this elist send a message with the single word
> > > "unsubscribe" in the body to: 
> > > security-services-request@lists.oasis-open.org
> > > 
> > 
> > ------------------------------------------------------------------
> > To unsubscribe from this elist send a message with the single word
> > "unsubscribe" in the body to: 
> > security-services-request@lists.oasis-open.org
> > 
> 
>