OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] Mon 29th concall - URGENT

I will not be able to join the confcall today because of the schedule
conflicts. Since I had little time to update the current proposal, I just
attach below the same document I sent the other day, and also attach the
XACML Context schema and XACML Response Context schema without any
modification from the discussion in F2F in Milan.

Best regards,
Michihairu Kudo

IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428
Proposal Draft for XACML Context
April 23, 2002
Author:  Michiharu Kudo

This proposal introduces an XACML Context that defines input parameters to
XACML policy evaluation engine. A primary purpose of the XACML Context is
to facilitate the attribute expression that refers to input parameters of
the XACML.

1.   Issues
When XACML policy evaluation processor tries to retrieve values specified
in SAML Request, it potentially causes the following problems:

- A policy writer needs to add a couple of information that may not be
included in SAML Request, e.g. distinction between subject attribute and
resource attribute.
- XACML policy specification greatly depends on SAML Request syntax and the
semantics that may be updated from time to time.
- Since several assertion specification format/syntax/semantics have been
proposed/deployed, SAML dependent XACML policy specification may reduce the
applicability of XACML policy specification.

2.  XACML Context
We introduce the notion of XACML Context that functions as an intermediate
assertion-neutral input data structure. XACML Context is represented by an
XML document (logically it is not necessarily a physical XML instance but
hypothetical XML document) that contains enough information for XACML
processor such as subject attributes (e.g. role of the requesting
principal), resource attributes (e.g. size of resource), and miscellaneous
attributes (e.g. current time). While we assume that all the input to XACML
Context is retrieved from the corresponding SAML Request, there is a case
where the PDP supplies a set of attribute type-value pairs for subjects and
resources. It depends on configuration of PDP.

2.1 Merits
-    XACML Policy specification becomes simpler with respects to attribute
reference and its expression.
-    XPath computation is done only once when the transformation from
original access request to XACML Context is performed.
-    XACML processor does not have to compute XPath expression on target
XML resource that might cause performance bottleneck particularly when the
target XML is huge.
-    When target resource is XML, XACML policy does not have to be aware
the difference between remote XML instance (referred by URI) and local XML
instance embedded in original access request.

2.2 Proposal

1.   XACML policyStatement (and/or policySetStatement) specifies optional
<transforms> element that defines the syntax and the semantics of the XACML

2.   <transforms> is described using XSLT syntax.

3.   When <transforms> element is specified in <policyStatement>, PDP
performs a set of transformations against the SAML Request (if access
request is represented in SAML) and the requested XML target resource (if
target is XML resource)

4.   Once the transformation is performed, input to the XACML processor
including access request and relevant information is specified as a
potentially simple XML document which element name is easily referred by
simple XPath expressions (e.g. /context/subject/NameIdentifier) in both
<target> section and <condition> section.

5.   Through the face-to-face discussion by TC members, we decided to
define an XML schema for XACML Context.
The following figure shows a data-flow of XACML Context-based Architecture.
(refer to the pdf or word file)

XACML Context Schema  (temporary result from the F2F discussion, may not be

<?xml version="1.0" encoding="UTF-8"?>
<schema xmlns:xs="http://www.w3.org/2001/XMLSchema"; elementFormDefault
="unqualified" attributeFormDefault="unqualified">
<complexType name="ContextType">
      <element ref="xacml:ContextPrincipal"/>
      <element ref="xacml:ContextResource"/>
      <element ref="xacml:ContextAction">
      <element ref="xacml:ContextRequestParameters"/>
      <element ref="xacml:ContextOther"/>

<element name="ContextPrincipal" type="xacml:ContextPrincipalType"/>
<complexType name="ContextPrincipalType">
      <element ref="xacml:PrincipalSpecifier" minOccurs="1" maxOccurs
      <element ref="xacml:Assertion" minOccurs="0" maxOccurs="unbounded"/>

<complexType name="PrincipalSpecifierAbstractType" abstract="true"/>

<element name="SimplePrincipalSpecifier" type
<complexType name="SimplePrincipalSpecifierType">
      <extension base="xacml:PrincipalSpecifierAbstractType">
               <element ref="NameIdentifier">
               <element ref="SubjectConfirmation" minOccurs="0"/>
            <element ref="SubjectConfirmation"/>

<element name="ContextResource" type="xacml:ContextResourceType"/>
<complexType name="ContextResourceType">
      <element ref="xacml:ResourceSpecifier"/>
      <element ref="xacml:Assertion" minOccurs="0" maxOccurs="unbounded"/>

<element name="ResourceSpecifier" type="xacml:ResourceSpecifierType"/>
<complexType name="ResourceSpecifierType">
   <element ref="Content" minOccurs="0"/>
<attribute name="uri" type="anyURI" use="optional"/>

<element name="Content" type="anyType"/>

<element name="ContextAction" type="xacml:ContextActionType"/>
<complexType name="ContextActionType">
   <element ref="xacml:ActionSpecifier"/>

<element name="ContextRequestParameters" type
<complexType name="ContextRequestParametersType">
      <element ref="xacml:Parameter" minOccurs="0" maxOccurs="unbounded"/>

<element name="ContextOther" type="xacml:ContextOtherType"/>
<complexType name="ContextOtherType">
      <element ref="xacml:Assertion" minOccurs="0" maxOccurs="unbounded"/>

<element name="xacml:Assertion" type="xacml:AssertionType"/>
   <complexType name="AssertionType">
         <choice maxOccurs="unbounded">
            <element ref="xacml:AuthenticationStatement"/>
            <element ref="xacml:AuthorizationDecisionStatement"/>
            <element ref="xacml:AttributeStatement"/>
     <attribute name="Issuer" type="string" use="required"/>
      <attribute name="IssueInstant" type="dateTime" use="optional"/>

   <complexType name="AbstractStatementType" type="abstract">
         <element ref="xacml:AssnSubject" minOccurs="0" maxOccurs="1"/>

   <element name="AssnSubject" type="xacml:AssnSubjectType"/>
   <complexType name="AssnSubjectType">
   <complexType name="AuthenticationStatementType">

XACML Response Context Schema  (temporary result from the F2F discussion,
may not be valid!)

<?xml version="1.0" encoding="UTF-8"?>
<schema xmlns:xs="http://www.w3.org/2001/XMLSchema"; elementFormDefault
="unqualified" attributeFormDefault="unqualified">

<element name="ResponseContext" type="xacml:ResponseContextType"/>
<complextType name="ResponseContextType">
     <element ref="xacml:Decision" minOccurs="1" maxOccurs="1"/>

<element name="Decision" type="xacml:DecisionType"/>

<element name="Permit" type="xacml:EffectDecisionType"/>
<element name="Deny" type="xacml:EffectDecisionType"/>
<element name="Indeterminate" type="xacml:IndeterminateDecisionType"/>

<complexType name="DecisionType" abstract="true"/>

<complexType name="EffectDecisionType">
   <extension base="DecisionType">
       <element ref="xacml:Oligations">

<complexType name="IndeterminateDecisionType">
   <extension base="DecisionType">
       <element ref="xacml:Advice">

<element name="Obligations" type="xacml:ObligationsType"/>
<complexType name="ObligationsType">
      <element ref="xacml:Obligation" minOccurs="0" maxOccurs="unbounded"/>

<element name="Obligation" type="xacml:ObligationType"/>
<complexType name="ObligationType">
   <attribute name="uri" type="anyURI"/>
     <element ref="xacml:Parameter" minOccurs="0" maxOccurs="unbounded"/>

<element name="Advice" type="xacml:AdviceType/>
<complexType name="Advice" type="xacml:AdviceType">

                    ernesto damiani                                                                                 
                    <edamiani@crema       To:     Anne.Anderson@Sun.com, XACML TC <xacml@lists.oasis-open.org>      
                    .unimi.it>            cc:                                                                       
                                          Subject:     [xacml] Mon 29th concall - URGENT                            
                    Please respond                                                                                  
                    to ernesto                                                                                      

Dear all,
I hope you all had a safe trip back and carry not-too-bad memories of your
stay in Italy.
As it was decided at the F2F the agenda for today concall will be

1. discussing and hopefully approving Michiharu's (and Simon) proposal for
XACML context that was sent to the list a couple of days ago. Tim comments
would be useful here.

2. As a possible second point, I would also like to remind you that we
do not have a description on our activity on the Web; Michiharu asked for
Here is my proposal:

"The Schema subcommittee is aimed at :
1. developing XACML access control model into an XML Schema (and its
associated namespace)expressing normative XACML 1.0 syntax .
2. providing examples of policies written in XACML based on real-world use
3. providing general, non-normative guidelines for implementation and
conformance tests."

Anyway points two and three could be deleted if you believe we have already
our hands full at the moment.

IMPORTANT: I had a sudden health problem (nothing serious a terrible
tootache and my face is half swollen). I am waiting for a call from my
dentist telling me when I can go and if it is during concall hours I won't
be able to attend. Sorry..

To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC