OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] XPath issues and resolutions

> Yes, as I see it the attribute authority would do the 
> following for an attributeQuery: 
> 1) lookup of the service document using the nameID and the 
> documentType (using UDDI, Liberty Disco, or whatever) 
> 2) get the document (using the WSDL published in UDDI or 
> using the Liberty Web services framework) 
> 3) apply the xpath and return the value in an assertion 

Right, so is that worth calling out even if only informally?

> I'm struggling with a use-case for this.  If an explicit 
> document reference is also user specific how can we publish 
> this document as an assertable attribute in metadata?

I don't think publishing the document makes sense, it would presumably have
senstive data in it. The schema might be published, which enables people to
determine the path expressions that would be useful. I'm basically looking
at XACML with this...it seems to support XPath expressions in a manner that
I thought was roughly similar to this.

The examples there are a medical record file, and they have attributes that
make reference to parts of the file to express rules like "I can access the
file iff my attribute "foo" matches the attribute obtained by applying xpath
"bar" to the file."

I think the use case is any situation in which an addressable resource
pertaining to the subject is a potential source of attributes. To me, the
"document type" idea is just a layer of indirection on the same basic use

So I just wondered if a more simplistic basic case where the resource was
directly referenced made sense.

> Or on 
> the other hand, if the explicit document applies to all 
> users, then what does it mean to query part of the document 
> for a particular user?  Would it imply accessing the document 
> with the users assigned rights?  Or maybe it is simply a 
> document that applies to all users. 

Possibly, but that wasn't the situation I was thinking of.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]