OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: XACML OID tag?

Bob Jueneman wrote:
> This is join to sound like heresy, but has anyone defined an 
> OID tag for XACML, so that an XACML string could be included 
> in a X.509 certificate?


> Toolkits which would provide enterprises to issue their own 
> certificates have so far failed to take off to any 
> significant degree


> One of the reasons, I believe, is that the neither the public 
> TTPs nor the toolkit vendors have so far adequately addressed 
> the important issue of providing a cross-enterprise Privilege 
> Management Infrastructure solution.  And now that they are 
> feeling a very significant financial pinch, they may not have 
> the wherewithal to solve that problem.

Perhaps you are simply looking for an OID to put arbitrary XML in a cert, so
this response will be overkill, but I believe your message implies a lack of
understanding of the XML security work currently going on at OASIS (SAML and

XACML is defining the means to express Access Control Policies. I don't
really see what the semantics of an access control policy in the middle of a
cert would be.

Perhaps you are thinking of SAML. SAML has Attribute Assertions which are
almost like Attribute Certs. Also it has Authentication Assertions which
seem mostly useful in non-PKI environment. Finally there are Authorization
Decision Assertions, which are likely to be quite specific to a resource and
short lived. Again it is not clear what putting one in a cert would signify

Of course all can be signed using XMLdsig and thus be consumers of PKIX
mechanisms. But I am unclear what sort of a use case you have in mind.

> Maybe it's just the religion of the week (XML) creating an 
> evangelistic fervor, but that's where the buzz seems to be 
> these days.  And I'd rather drop some XACML into an X.509 
> certificate and make use of the existing tools, rather than 
> create everything from scratch.  And yes, if X.509 attribute 
> certificates had been better thought out and/or more widely 
> implemented, maybe this wouldn't be necessary. And if pigs 
> could whistle and cows could fly, then the world would be a 
> much different place.

If you believe X.509 Attribute Certs are broken (as opposed to unused) I
would like to hear why, since SAML Attribute Assertions are very similar. On
the other hand, SAML has a lot of other machinery, so perhaps we have
already addressed your concerns.

I understand the buzz concern, but there is actually very little overlap
between the functional capabilities of PKIX and the OASIS security work.

> Anyway, does anyone have such an OID and a suggested way to 
> use it?  If not, I guess I'll explore rolling my own, unless 
> someone else wants to join in the fun.

Before you design something, I suggest you propose a usecase or some
requirements or something.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC