[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] [glossary] Second Comments
The following is my second comments on XACML Glossary. I think XACML terms should be defined as common as possible. One way to do that is to follow established standard as much as possible. In my understanding, the international standard called 10181-3 Access Control Framework [1] seems to be the closest and the most rigid standard for our access control domain. I also think that it is ok to create a new term or borrow one from other recommendations, but it should be limited to the case where the notion we need to use means differently from the already defined one. Considering from the above perspective, there are several terms we should discuss further. Principal: The principal is defined in 10181-2: Authentication framework but not in 10181-3: Access control framework. I think that the XACML definition of Principal is not correct usage of Principal defined in 10181-2 meaning authenticated requesting entity. But the definition of XACML refers to the user portion of authorization policy. In this case, I think "Subject" would be more appropriate term. - I suggest to use "Subject" instead of "Principal." (XACML definition keeps the current definition.) Requester or Initiator: I think that we need a term for an entity that attempts to access the target resource. Principal written in XACML glossary does not mean that. In [1], Initiator: an entity (e.g. human user or computer-based entity) that attempts to access other entities, is used. In SAML, Requester is used. - I suggest to use "Initiator" or "Requester" to mean an entity (e.g. human user or computer-based entity) that attempts to access other entities. Resource: In [1], "Target" is used: an entity to which access may be attempted. But SAML uses "Resource" in their schema. I have no preference but just resource could mean rather general in access control context. - How about "Target Resource"? Authorization policy: Authorization policy component: Authorization Decision: Why do we prefer authorization to access control? Shorter? In [1], Access Control Policy and Access Control Policy Rules are used. The folloing is their definitions: Access Control Policy in [1]: the set of rules that define the conditions under which an access may take place. Access Control Policy Rules in [1]: security policy rules concerning the provision of the access control service The following is defined in [1] but not in XACML. Clearance: Initiator-bound access control information that can be compared with security labels of targets. SDA: Security Domain Authority: [1]: ISO/IEC 10181-3:1996, Information technology- Open Systems Interconnection - Security Frameworks for open systems: Access control framework Michiharu Kudo
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC