[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] proposed amendment to Polar's resolution of PM-2-05
Also, in the side dicussion with Bill, I also formulated, and formalized with keyword MAY by Konstantin's amendment, was a PDP that must make a trust decision on its client, i.e. a PEP in Bill's case, of whether it gives up any information about how to obtain an access decision. The basic crux of the argument is that a PDP that hands back "indeterminate" with "insufficient infomration", and names needed attributes that are already supplied in the request, is a protocol error. Whether a PDP hands back lists the names of any needed attributes is a trust determination on its client. So, if a rouge can get access to the PDP, the PDP should have precautions enough not to turn up sensitive information to rouges. Otherwise, it should be operating overly paranoid mode and return nothing. The requirement doesn't say that the PDP MUST return the names of needed attributes, merely states that it MAY, and states what is illegal to return if it does. The purpose of that requirement is to provide some narrowing that converges to an access decision, otherwise, infinate loops can occur. There is still somewhat of a problem with convergence. Each time with more and more attributes supplied the PDP can still ask for different attributes, leading you down an infinite path. However, that is a determination by a PDP's client for now long that request/reply scenario can go. I thought about mandating that the PDP must supply the name of ALL attributes needed, and cannot return anything not from that initial set. However, that requires state, or at the very least a complete determinate computation of all needed attributes. Given our structure of XACML and the composibility of policies, this is nearly impossible in the general sense. Cheers, -Polar On Fri, 5 Apr 2002, bill parducci wrote: > in a side discussion with polar it was my impresssion that this exchange > excluded responses to a PEP. is this consistent with the understganding > of others? > > i have a BIG problem with a a PDP returning anything to a PEP other than > the decision/obligation, particularly if it provides information on how > to acheive a decision. > > b > > > "Beznosov, Konstantin" wrote: > > > > I suggest to amend the text of the resolution so that the above > > fragment will read the following: > > The PDP MAY return an "authorization decision" of "indeterminate" with > an error code of "insufficient information", signifying that more > information needed. In this case, the "authorization decision" MAY list > the names of any attributes of the subject and the resource that are > needed by the PDP to refine its "authorization decision". > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC