RE: XACML TC Charter Revision - Strawman

["Simon Y. Blackwell" <sblackwell@psoom.com>]

Hal, your response to a) below would seem to indicate that you believe one
or more of the following:

1. providing all information would require too much space
2. an iterative conversation between an PEP, PDP, and Attribute Authority
would require too much time

Is this the case?

It is also not clear to me the a) would require unnecessary authentication

Note, the only way a PEP could provide all information necessary to make a
decision without an iterative conversation would be if the PEP had a way of
finding out the finite set of attributes referenced by all policies used to
provision the PDP or the finite set of attributes available from the
attribute authority. Perhaps we are making the same point here Hal?

(a) require each request to contain all information necessary 
> > to form a
> > decision
> 
> I don't think (a) is a practical possibility. It either 
> requires the PEP to
> understand the policies that apply (which seems an undesirable lack of
> encapsulation) or for the PEP to provide all possible 
> evidence with every
> request. I don't think this is feasible from a performance 
> standpoint in a
> distributed environment. It also leads to behavior which is 
> unacceptable
> from a user's point of view, for example, requiring unnecessary
> Authentication.

> -----Original Message-----
> From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
> Sent: Friday, June 08, 2001 7:33 AM
> To: 'bill parducci'
> Cc: 'Damodaran, Suresh'; 'xacml@lists.oasis-open.org';
> security-services@lists.oasis-open.org
> Subject: RE: XACML TC Charter Revision - Strawman
> 
> 
> Bill,
> 
> I wrote,
> > > For example, you will ask "Can Joe access x?" and you will get
> > > the answer "Yes, joe can access X", but the fact of the 
> > matter is the same
> > > request would get a different answer 1 sec later. Also 
> > perhaps it didn't
> > > even matter that it was Joe. Probably for accountability 
> > purposes that is
> > > good enough, but I continue to be concerned that the 
> > assertion will be
> > > wrongly construed.
> 
> you wrote,
> > if i understand this correctly, the only methods by which 
> > such apparent
> > capriciousness can be avoided are:
> > 
> > (a) require each request to contain all information necessary 
> > to form a
> > decision
> 
> I don't think (a) is a practical possibility. It either 
> requires the PEP to
> understand the policies that apply (which seems an undesirable lack of
> encapsulation) or for the PEP to provide all possible 
> evidence with every
> request. I don't think this is feasible from a performance 
> standpoint in a
> distributed environment. It also leads to behavior which is 
> unacceptable
> from a user's point of view, for example, requiring unnecessary
> Authentication.
>  
> > or
> > 
> > (b) provide all information involved in the decision 
> regardless of the
> > contents of the request
> 
> This is what I had in mind.
> 
> > practical issues aside, in either situation i can see 
> > potential security
> > issues in that all aspects of the Authorization Decision must be
> > divulged externally. 
> 
> Assuming (b) I would be interested in understanding your 
> specific concerns.
> Certainly integrity and confidentiality of the assertion can 
> be provided if
> required. 
> 
> There is a principle in an Authentication situation to avoid 
> giving away
> information that would assist an attacker. However, I am not 
> aware of a
> similar concern in the context of Authorization. In fact, it 
> is frequently a
> requirement to accompany a negative response with an 
> indicatication of how a
> user might be allowed access, for example by reauthenticating with a
> "stronger" method.
> 
> In the case of a positive response, I see no issue with 
> informing the PEP
> (or subsequently a court of law) what criteria were used.
> 
> Hal
>