RE: XACML TC Charter Revision - Strawman

[Hal Lockhart <hal.lockhart@entegrity.com>]

Simon wrote,
> Hal, your response to a) below would seem to indicate that 
> you believe one
> or more of the following:
> 
> 1. providing all information would require too much space

Its not so much a matter of space as the overhead to collect a lot of
potentially unnecessary information and the need for the PEP to be aware of,
if not the exact policies, all the possible inputs.

> 2. an iterative conversation between an PEP, PDP, and 
> Attribute Authority
> would require too much time
> 
> Is this the case?

Essentially yes.

> It is also not clear to me the a) would require unnecessary 
> authentication

If the policy required checking attributes not related to the user, but not
the identity of the user, the user would likely be irritated to be forced to
authenticate

For example, suppose the policy says anybody can perform this action between
0000 and 0600 weekdays and anytime on weekends. Why demand authentication?

> Note, the only way a PEP could provide all information 
> necessary to make a
> decision without an iterative conversation would be if the 
> PEP had a way of
> finding out the finite set of attributes referenced by all 
> policies used to
> provision the PDP or the finite set of attributes available from the
> attribute authority. Perhaps we are making the same point here Hal?

Essentially yes. However, I take attributes from an attribute authority to
refer to a person (subject, principal) It is important to keep in mind that
authorization decisions can be based on many other kinds of information and
that requestor identity and attributes may not even be used.

-------------------

It is important to consider seperately the request to a PDP and the response
from a PDP. Since the PDP will always know what criteria it used to to make
a decision, it is easy for it to include the information in its response
(assertion) for audit purposes, assuming an appropriate syntax.

However, when making a request we encounter the problem discussed above. In
my mind there are three basic alternatives.
1. Use a simple policy model, such as an ACL style model and the PEP will
know what to supply
2. Closely couple the PEP and PDP, avoiding the use of Authorization
Decision Assertions entirely (note that the ability to use XACML as a
provisioning protocol makes this option more attractive)
3. Specify some inputs, PDP may or may not use them, it will fill in
defaults for others, it will tell you what info it used. This is what I
expect the SAML + XACML model to be like.

Note that #1 and #3 essentially look the same from the PEP's point of view.

Hal