OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: Horn clauses (formerly...access control information)


W/respect to the comment "we should be able to state a policy without
worrying about the mechanism of interpretation of it", it depends upon what
you mean by "worry". I think that, once you are immersed in a particular
authorization model, it should be fairly easy to write policies for that
model but that, in general, you cannot write authorization policies in a
vacuum. Authorization policies only make sense in the context of an
authorization model and authorization models define (among other things) how
policies are evaluated/interpreted.

-----Original Message-----
From: Damodaran, Suresh [mailto:Suresh_Damodaran@stercomm.com]
Sent: Wednesday, June 13, 2001 6:45 AM
To: 'bill parducci'; 'xacml@lists.oasis-open.org'
Subject: Horn clauses (formerly...access control information)


Here are my 2 cents on why I do believe Horn clauses are worth some thought
even though they wouldn't be the best way to represent policy
(Excuse me if I am possibly oversimplifying and butchering
some core ideas here)

When stated in XML, the policy statements can be considered as
a set of axioms. The access control decision (resolution) 
can be thought of as proving a theorem such as "Does the subject
have privilege for an action on the target?" The mechanism
for interpreting the policy can be by any computational means.

When stated in Horn clauses, the policy statements can be thought
of as "directly interpretable" axioms - Prolog like systems
can interpret them for you. Now, the access control decision
is a matter of direct interpretation.

Given these, should we consider Horn clauses for policy representation?
Possibly not, because apart from most people not knowing what these are
or how to use these, we should be able to state a policy without
worrying about the mechanism of interpretation of it. I am suspecting that
the policy statements expressed in XML in declarative
style can be more powerful than Horn clauses. It may be interesting
to investigate this question by transforming the policy declarations into
Horn clauses. 

If indeed Horn clauses are powerful enough, we can provide them
as yet another means to interpret the policy. Besides, it might be a good
test
bed to answer some of the "what if" questions on policy.

-Suresh


-----Original Message-----
From: bill parducci [mailto:bill@parducci.net]
Sent: Tuesday, June 12, 2001 12:34 PM
To: 'xacml@lists.oasis-open.org'
Subject: Re: access control information (formerly... Strawman)


first, you both get my vote for the academian egghead idea of the week
award! :o) 

i think simon is correct; even were the group able to reach such
agreement, i fear the learning curve associated with implementing such a
solution would be significant. i don't know about anyone else, but i
will be the first to claim practical ignorance with Horn Clauses (and i
consider myself in the upper quartile of the ignoramus population).

that is not to say that the idea is not good, but i wonder if there may
be a way to make it more approachable?

b

"Simon Y. Blackwell" wrote:
> 
> !!! I had almost introduced the concept of Horn Clauses a few days ago,
but
> I figured it might be too obscure. I do think it is something we should
> explore when defining the policy language. However, coming to agreement on
> the standard set of primitive predicates will be a substantial rub!
> 
> > -----Original Message-----
> > From: Polar Humenn [mailto:polar@syr.edu]
> > Sent: Tuesday, June 12, 2001 5:37 AM
> > To: bill parducci
> > Cc: 'xacml@lists.oasis-open.org'
> > Subject: Re: access control information (formerly... Strawman)
> >
> >
> >
> > You could go for a strictly logical approach, i.e. Prolog like Horn
> > Clauses. Then you have a semantics. You just have to standardize the
> > primative predicates.
> >
> > -Polar


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC