OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [xacml] Policy Model Subcommittee minutes (Nov. 5, 2001)...


Title: Policy Model Subcommittee minutes (Nov. 5, 2001)...

Hi all,

Here are the minutes of last week's policy model call.

Michiharu:  can you please post these on the Web site?  Thanks!

Carlisle.


----------
From:   Simon Godik[SMTP:sgodik@crosslogix.com]
Sent:   Tuesday, November 06, 2001 1:59 PM
To:     'carlisle.adams@entrust.com'
Cc:     Simon Godik
Subject:        [xacml-policy-model] dec-5-2001-notes

Xpath

Ernesto: Check with Pierangela on the document she is writting . We are trying to specify what is a principal
and what is a  resource and how they could be specified in relation to the saml assertions. We came out with
the idea to refer to saml asserions by using xpath inside xacml. Direct xpath use and macro-expansion.
Pierangella will put out a proposal on how it all could be done.

Hal: Saml uses assertion ids as assertion reference.

Ernesto: Would you object to xpath?

Hal: xpath might point to assertion that contain something else.

Ernesto: We still do not have standard way to refer to principal and resources and env variables. Xpath
is not easy to read. This is drawback. You could have pseudo predicates that expand.

Carlisle: Tim M. was envisioning that everything you look at is saml assertion and xpath will be appropriate.



Pre and post conditions

Hal: Tim M is making a distinction between pre and post conditions.

Carlisle: Tim M is not making a distinction between pep and pdp in execution for conditions.

Ernesto: As an example, to access a resource you need to sign an agreement. This is post-condition.

Hal: Part of policy enforcement is an agreement who is going to do what.

Simon: Sometimes there is not enough context in the pep to execute every post-condition. Some post-conditions
should be carried out by the pdp.

Ernesto: Explicit distinction between post and pre conditions should be supported at the language level.

Carlisle: The reason to have it in the syntax is that it is evident to the policy writer.

Hal: I'm still not sold on the use case and I'm concerned with misuse.

Ernesto: If pdp post conditions are well identified than misuse is less likely. The outcome of pdp post-conditions
should not affect a client.

Hal: We can call pdp post-conditions internal and pep post-conditions external.



Evidence and assertions

Simon: There should be distinction between evidence and assertions.

Ernesto: I like the distinction. Perhaps we can keep it from the model point of view.

Hal: Let's keep it open.



Points in the model.
Carlisle: Tim has created a number of new entities. He is offering to draw a model.



To do:
Think about xpath application to xacml.  Try to provide concrete examples.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC