OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] [glossary] Second Comments

Title: RE: [xacml] [glossary] Second Comments

Michiharu - Thanks for the comments.  Some explanation ...

I think the ISO work is less influential than it might be, because it is not as easily accessible as the OASIS and IETF works.

The terms that currently appear in the XACML glossary are gleaned from the XACML charter, Ernesto's contribution on models and other important messages to the list.  So, it seems to be the set of terms that this group of experts uses.  Of course, I consulted the popular glossaries, and used their definitions where appropriate.  But, I found them overly-general, poorly-tailored to our domain, and collectively, they did not form a closely-bound, self-consistent, set.

You propose a couple of new terms (SDA and clearance).  Neither of these showed up in the various contributions to XACML.  So, I suggest we add them only when (and if) we find we need them.  On the topic of clearance and label, I know that Hal has objected to their use because, conventionally, they are bound to just one access-control model (that described by Bell and Lapadula) and it is our hope to be more general.

The decision made by SAML is to use "Subject" to mean the "name" of the entity.  Whereas, the term Principal refers to the entity itself.

I wrestled with the terms "Requestor" and "Initiator".  I am certainly willing to be persuaded otherwise.  But, I wonder whether we will, in fact, find it important to have a term for this.  We will have to be clear that we don't mean the PEP.  Also, it is not clear in my mind that the Requestor or Initiator has to be represented in the policy language.  If it is represented, then the definition of Principal should serve.

On the use of "Target", Hal has argued for its inclusion.  However, I believe his definition conflicts with the use of the term in the XACML charter.  We'll have to resolve that conflict.

On the topic of "Authorization", I believe we prefer this term over "Access control", because "Access control" is closely associated in people's minds with a fixed set of actions: read, write, execute, etc..  And, we want to allow a more general set of actions.  Choosing a different term signals to the reader that something different may be intended.

All the best.  Tim.

Tim Moses
Tel: 613.270.3183

-----Original Message-----
From: Michiharu Kudoh [mailto:KUDO@jp.ibm.com]
Sent: Friday, October 26, 2001 3:06 AM
To: Tim Moses <tim.moses
Cc: xacml@lists.oasis-open.org
Subject: [xacml] [glossary] Second Comments

The following is my second comments on XACML Glossary.

I think XACML terms should be defined as common as possible.
One way to do that is to follow established standard as much as possible.
In my understanding, the international standard called 10181-3
Access Control Framework [1] seems to be the closest and the most
rigid standard for our access control domain.
I also think that it is ok to create a new term or borrow one from other
recommendations, but it should be limited to the case where the notion
we need to use means differently from the already defined one.

Considering from the above perspective, there are several terms
we should discuss further.

The principal is defined in 10181-2: Authentication framework but not
in 10181-3: Access control framework. I think that the XACML definition
of Principal is not correct usage of Principal defined in 10181-2 meaning
authenticated requesting entity. But the definition of XACML refers to
the user portion of authorization policy. In this case, I think "Subject"
would be more appropriate term.
- I suggest to use "Subject" instead of "Principal."
(XACML definition keeps the current definition.)

Requester or Initiator:
I think that we need a term for an entity that attempts to access the
target resource. Principal written in XACML glossary does not mean that.
In [1], Initiator: an entity (e.g. human user or computer-based entity)
attempts to access other entities, is used. In SAML, Requester is used.
- I suggest to use "Initiator" or "Requester" to mean an entity (e.g. human
user or computer-based entity) that attempts to access other entities.

In [1], "Target" is used: an entity to which access may be attempted.
But SAML uses "Resource" in their schema. I have no preference but
just resource could mean rather general in access control context.
- How about "Target Resource"?

Authorization policy:
Authorization policy component:
Authorization Decision:
Why do we prefer authorization to access control?  Shorter?
In [1], Access Control Policy and Access Control Policy Rules
are used. The folloing is their definitions:

Access Control Policy in [1]: the set of rules that define the conditions
which an access may take place.
Access Control Policy Rules in [1]: security policy rules concerning the
provision of the access control service

The following is defined in [1] but not in XACML.

Initiator-bound access control information that can be compared with
security labels of targets.

Security Domain Authority:

[1]: ISO/IEC 10181-3:1996, Information technology- Open Systems
Interconnection - Security Frameworks for open systems: Access control

Michiharu Kudo

To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC