Re: [xacml-dev] XACML X.509 support

[Yuri Demchenko <demch@chello.nl>]

Daniel Engovatov wrote:
> I will try to answer from the standard prospective - I am sure that
> people familiar with the particular implementation you work with will
> fill in.
> 
> How the information gets into context handler and how its consistency is
> insured -- transport layer security, digital signatures, -- is outside
> of the scope for the XACML standard.   It is expected that a particular
> implementation takes care of this - there are plenty of good tools to
> choose from.  Environments where XACML can be used are too diverse. 
> 
I agree and want to add that good solution (and actually current 
practice) is to use SAML for security assertions/credentials 
expression together with XACML messaging and policy expression and 
processing like we do it in our access control solutions.

SAML 1.1 has reasonable support for different AuthN schemes and 
assertions in defining elements Subject/NameIdentifier and 
SubjectConfirmation where SubjectConfirmation data can be X.509 cert. 
SAML 2.0 has extended range of SubjectConfirmation method and data 
formats.

There are numerous SAML 1.1 implementations including OpenSAML. 
Fortunately, we will have SAML 2.0 libraries very soon.

Regards,

Yuri

> 
> -----Original Message-----
> From: Mine Altunay [mailto:maltuna@ncsu.edu] 
> Sent: Tuesday, February 22, 2005 11:22 AM
> To: xacml@lists.oasis-open.org
> Cc: sunxacml-discuss@lists.sourceforge.net; xacml-dev mailing list
> Subject: [xacml-dev] XACML X.509 support
> 
> Hi all
> 
> How does a PDP verifies the validity/legitimacy of claimed attributes in
> a
> given request. For example, a subject attribute may claim that the user
> is
> a member of a developer group. Then, PDP would evaluate this information
> and decides the appropriate access decision for the "developers".
> However,
> how does the PDP verify that the said subject does indeed a member of
> the
> claimed group? What I see from PDP and request examples is that a
> request
> does not carry such proofs such as Attribute credentials or identity
> credentials.
> 
> However,lack of such a support makes the authz process very naive,
> vulnerable against malicious users.
> 
> Additionally, I am working with an identity-based authz system that
> relies
> on x.509 credentials. Therefore, for my PDP it is important not only to
> get an access decision, but also to verify that the subject does indeed
> have a valid certificate (or ACs or whatever the policy calls). Right
> now,
> I am using the xacml X500NameAttribute, however, it does not really
> prove
> that this subject indeed has an issued certificate.(I am naively passing
> the DN and hoping that the user is honest with it)
> 
> If you could point me ways to provide such a verification in my xacml
> framework, I would be grateful.
> 
> Also, do you see this verification problem as out of the xacml scope or
> is
> there already support in existing xacml framework that perhaps I am
> missing
> 
> PS: I also thought about external means to send the certificate after
> the
> authz process but it is costly and redundant.
> Thank you all
>