OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-dev] Policy editor? Gui?

>===== Original Message From Seth Proctor <Seth.Proctor@Sun.COM> =====
>On Tue, 2004-11-16 at 13:42, Mary Kolencik (siamese@bcpl.net) wrote:
>> Let's say I'm the policy editor for a system, I control all the
>> policies and I want some scheme to keep all of my policy ids unique.
>> It's a requirement, right? So if I were using a tool to write my
>> policies, it would be nice to have the tool assign the policy ids
>> and manage them.
>Ah. Ok. Yes, that makes sense. Something that either generates random
>ids, uses schemes based on some structure, or something similar. That
>certainly makes sense.

Exactly. The tool might have to maintain some configuration 
information about what id scheme is used for the collection of
policies, but it could be transparent to the policy writer.

>> Also, being able to sign policies with the tool would be nice.
>Agreed. The only challenge there, of course, is that there's no standard
>scheme for using signed XACML policies right now, so that would have to
>be custom functionality...but definately very useful.

There are two needs for this that I see. One is for the policy writer
to know that their policies haven't been modified or tampered with,
sometimes by their own error. The other would be for the PDP to
authenticate the policy. I agree, the second need would be custom
functionality. But for the first purpose, maybe there's another 
solution. What about keeping track of a checksum or someting simple.
Some way to help the policy writer detect changes they may not have
wanted made. I'm just thinking out loud here.

Mary Kolencik

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]