[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Horn clauses (formerly...access control information)
W/respect to the comment "we should be able to state a policy without worrying about the mechanism of interpretation of it", it depends upon what you mean by "worry". I think that, once you are immersed in a particular authorization model, it should be fairly easy to write policies for that model but that, in general, you cannot write authorization policies in a vacuum. Authorization policies only make sense in the context of an authorization model and authorization models define (among other things) how policies are evaluated/interpreted. -----Original Message----- From: Damodaran, Suresh [mailto:Suresh_Damodaran@stercomm.com] Sent: Wednesday, June 13, 2001 6:45 AM To: 'bill parducci'; 'xacml@lists.oasis-open.org' Subject: Horn clauses (formerly...access control information) Here are my 2 cents on why I do believe Horn clauses are worth some thought even though they wouldn't be the best way to represent policy (Excuse me if I am possibly oversimplifying and butchering some core ideas here) When stated in XML, the policy statements can be considered as a set of axioms. The access control decision (resolution) can be thought of as proving a theorem such as "Does the subject have privilege for an action on the target?" The mechanism for interpreting the policy can be by any computational means. When stated in Horn clauses, the policy statements can be thought of as "directly interpretable" axioms - Prolog like systems can interpret them for you. Now, the access control decision is a matter of direct interpretation. Given these, should we consider Horn clauses for policy representation? Possibly not, because apart from most people not knowing what these are or how to use these, we should be able to state a policy without worrying about the mechanism of interpretation of it. I am suspecting that the policy statements expressed in XML in declarative style can be more powerful than Horn clauses. It may be interesting to investigate this question by transforming the policy declarations into Horn clauses. If indeed Horn clauses are powerful enough, we can provide them as yet another means to interpret the policy. Besides, it might be a good test bed to answer some of the "what if" questions on policy. -Suresh -----Original Message----- From: bill parducci [mailto:bill@parducci.net] Sent: Tuesday, June 12, 2001 12:34 PM To: 'xacml@lists.oasis-open.org' Subject: Re: access control information (formerly... Strawman) first, you both get my vote for the academian egghead idea of the week award! :o) i think simon is correct; even were the group able to reach such agreement, i fear the learning curve associated with implementing such a solution would be significant. i don't know about anyone else, but i will be the first to claim practical ignorance with Horn Clauses (and i consider myself in the upper quartile of the ignoramus population). that is not to say that the idea is not good, but i wonder if there may be a way to make it more approachable? b "Simon Y. Blackwell" wrote: > > !!! I had almost introduced the concept of Horn Clauses a few days ago, but > I figured it might be too obscure. I do think it is something we should > explore when defining the policy language. However, coming to agreement on > the standard set of primitive predicates will be a substantial rub! > > > -----Original Message----- > > From: Polar Humenn [mailto:polar@syr.edu] > > Sent: Tuesday, June 12, 2001 5:37 AM > > To: bill parducci > > Cc: 'xacml@lists.oasis-open.org' > > Subject: Re: access control information (formerly... Strawman) > > > > > > > > You could go for a strictly logical approach, i.e. Prolog like Horn > > Clauses. Then you have a semantics. You just have to standardize the > > primative predicates. > > > > -Polar
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC