OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] [Fwd: RE: xacml <-> dsml]

forwarding this on from gil...


-------- Original Message --------
Subject: RE: xacml <-> dsml
Date: Fri, 14 Dec 2001 16:42:50 -0800
From: Gilbert Pilz <gilbert.pilz@e2open.com>
To: "'bill parducci '" <bill@parducci.net>

Sorry I missed the call. I've been flat on my back for a week with some
horrible mutant-flu thing.

Since the last time we talked I had the chance to play with DSML a little.
It seems to me that it is theoretically possible to transform an XACML
policy document into a DSML document and import that document into LDAP. The
DSML document could contain elements that described the (LDAP) schema
necessary to store the authorization policy entries in case the target LDAP
didn't already have this schema. It is also possible to export some LDAP
entries into a DSML document and transform that DSML document in XACML.

What I don't know (having nothing more than a cursory understanding of
XSL/XSLT) is how difficult such transformations would be and if there are
any "gotchas" that would keep this from really working.

What I think the XACML spec should do is:

1.) Describe the LDAP schema necessary to store authorization policies. This
should be done in "LDAP fasion" with dn's, classnames, etc.

2.) (if possible) Provide the XSLT necessary to transform XACML to DSML and
vice versa.

That way people who don't want to be bothered with DSML can work out their
own way to store and retrieve XACML data to and from the defined schema.

- gil

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC