Re: [xacml] proposed amendment to Polar's resolution of PM-2-05

[Polar Humenn <polar@syr.edu>]

Also, in the side dicussion with Bill, I also formulated, and formalized
with keyword MAY by Konstantin's amendment, was a PDP that must make a
trust decision on its client, i.e. a PEP in Bill's case, of whether it
gives up any information about how to obtain an access decision.

The basic crux of the argument is that a PDP that hands back
"indeterminate" with "insufficient infomration", and names needed
attributes that are already supplied in the request, is a protocol error.

Whether a PDP hands back lists the names of any needed attributes is a
trust determination on its client. So, if a rouge can get access to the
PDP, the PDP should have precautions enough not to turn up sensitive
information to rouges. Otherwise, it should be operating overly paranoid
mode and return nothing.

The requirement doesn't say that the PDP MUST return the names of needed
attributes, merely states that it MAY, and states what is illegal to
return if it does. The purpose of that requirement is to provide some
narrowing that converges to an access decision, otherwise, infinate loops
can occur.

There is still somewhat of a problem with convergence. Each time with more
and more attributes supplied the PDP can still ask for different
attributes, leading you down an infinite path. However, that is a
determination by a PDP's client for now long that request/reply scenario
can go.

I thought about mandating that the PDP must supply the name of ALL
attributes needed, and cannot return anything not from that initial set.
However, that requires state, or at the very least a complete determinate
computation of all needed attributes. Given our structure of XACML and
the composibility of policies, this is nearly impossible in the general
sense.


Cheers,
-Polar

 On Fri, 5 Apr 2002, bill parducci wrote:

> in a side discussion with polar it was my impresssion that this exchange
> excluded responses to a PEP. is this consistent with the understganding
> of others?
>
> i have a BIG problem with a a PDP returning anything to a PEP other than
> the decision/obligation, particularly if it provides information on how
> to acheive a decision.
>
> b
>
> > "Beznosov, Konstantin" wrote:
> >
> > I suggest to amend the text of the resolution so that the above
> > fragment will read the following:
>
> The PDP MAY return an "authorization decision" of "indeterminate" with
> an error code of "insufficient information", signifying that more
> information needed. In this case, the "authorization decision" MAY list
> the names of any attributes of the subject and the resource that are
> needed by the PDP to refine its "authorization decision".
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>