[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Mon 29th concall - URGENT
Hi i will not be able to participate in the concall also (i am out of the office) best -p On Mon, 29 Apr 2002, Michiharu Kudoh wrote: > > I will not be able to join the confcall today because of the schedule > conflicts. Since I had little time to update the current proposal, I just > attach below the same document I sent the other day, and also attach the > XACML Context schema and XACML Response Context schema without any > modification from the discussion in F2F in Milan. > > Best regards, > Michihairu Kudo > > IBM Tokyo Research Laboratory, Internet Technology > Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428 > =============================================================== > Proposal Draft for XACML Context > April 23, 2002 > Author: Michiharu Kudo > > This proposal introduces an XACML Context that defines input parameters to > XACML policy evaluation engine. A primary purpose of the XACML Context is > to facilitate the attribute expression that refers to input parameters of > the XACML. > > 1. Issues > When XACML policy evaluation processor tries to retrieve values specified > in SAML Request, it potentially causes the following problems: > > - A policy writer needs to add a couple of information that may not be > included in SAML Request, e.g. distinction between subject attribute and > resource attribute. > - XACML policy specification greatly depends on SAML Request syntax and the > semantics that may be updated from time to time. > - Since several assertion specification format/syntax/semantics have been > proposed/deployed, SAML dependent XACML policy specification may reduce the > applicability of XACML policy specification. > > 2. XACML Context > We introduce the notion of XACML Context that functions as an intermediate > assertion-neutral input data structure. XACML Context is represented by an > XML document (logically it is not necessarily a physical XML instance but > hypothetical XML document) that contains enough information for XACML > processor such as subject attributes (e.g. role of the requesting > principal), resource attributes (e.g. size of resource), and miscellaneous > attributes (e.g. current time). While we assume that all the input to XACML > Context is retrieved from the corresponding SAML Request, there is a case > where the PDP supplies a set of attribute type-value pairs for subjects and > resources. It depends on configuration of PDP. > > 2.1 Merits > - XACML Policy specification becomes simpler with respects to attribute > reference and its expression. > - XPath computation is done only once when the transformation from > original access request to XACML Context is performed. > - XACML processor does not have to compute XPath expression on target > XML resource that might cause performance bottleneck particularly when the > target XML is huge. > - When target resource is XML, XACML policy does not have to be aware > the difference between remote XML instance (referred by URI) and local XML > instance embedded in original access request. > > 2.2 Proposal > > 1. XACML policyStatement (and/or policySetStatement) specifies optional > <transforms> element that defines the syntax and the semantics of the XACML > Context. > > 2. <transforms> is described using XSLT syntax. > > 3. When <transforms> element is specified in <policyStatement>, PDP > performs a set of transformations against the SAML Request (if access > request is represented in SAML) and the requested XML target resource (if > target is XML resource) > > 4. Once the transformation is performed, input to the XACML processor > including access request and relevant information is specified as a > potentially simple XML document which element name is easily referred by > simple XPath expressions (e.g. /context/subject/NameIdentifier) in both > <target> section and <condition> section. > > 5. Through the face-to-face discussion by TC members, we decided to > define an XML schema for XACML Context. > The following figure shows a data-flow of XACML Context-based Architecture. > (refer to the pdf or word file) > > ============================================================ > XACML Context Schema (temporary result from the F2F discussion, may not be > valid) > > <?xml version="1.0" encoding="UTF-8"?> > <schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault > ="unqualified" attributeFormDefault="unqualified"> > <complexType name="ContextType"> > <sequence> > <element ref="xacml:ContextPrincipal"/> > <element ref="xacml:ContextResource"/> > <element ref="xacml:ContextAction"> > <element ref="xacml:ContextRequestParameters"/> > <element ref="xacml:ContextOther"/> > </sequence> > </complexType> > > <element name="ContextPrincipal" type="xacml:ContextPrincipalType"/> > <complexType name="ContextPrincipalType"> > <sequence> > <element ref="xacml:PrincipalSpecifier" minOccurs="1" maxOccurs > ="unbounded"/> > <element ref="xacml:Assertion" minOccurs="0" maxOccurs="unbounded"/> > </sequence> > </complexType> > > <complexType name="PrincipalSpecifierAbstractType" abstract="true"/> > > <element name="SimplePrincipalSpecifier" type > ="xacml:SimplePrincipalSpecifierType"/> > <complexType name="SimplePrincipalSpecifierType"> > <complexContent> > <extension base="xacml:PrincipalSpecifierAbstractType"> > <choice> > <sequence> > <element ref="NameIdentifier"> > <element ref="SubjectConfirmation" minOccurs="0"/> > </sequence> > <element ref="SubjectConfirmation"/> > </choice> > </extension> > </complexContent> > </complexType> > > <element name="ContextResource" type="xacml:ContextResourceType"/> > <complexType name="ContextResourceType"> > <sequence> > <element ref="xacml:ResourceSpecifier"/> > <element ref="xacml:Assertion" minOccurs="0" maxOccurs="unbounded"/> > </sequence> > </complexType> > > <element name="ResourceSpecifier" type="xacml:ResourceSpecifierType"/> > <complexType name="ResourceSpecifierType"> > <sequence> > <element ref="Content" minOccurs="0"/> > </sequence> > <attribute name="uri" type="anyURI" use="optional"/> > </complexType> > > <element name="Content" type="anyType"/> > > <element name="ContextAction" type="xacml:ContextActionType"/> > <complexType name="ContextActionType"> > <element ref="xacml:ActionSpecifier"/> > </complexType> > > <element name="ContextRequestParameters" type > ="xacml:ContextRequestParametersType"/> > <complexType name="ContextRequestParametersType"> > <sequence> > <element ref="xacml:Parameter" minOccurs="0" maxOccurs="unbounded"/> > </sequence> > </complexType> > > <element name="ContextOther" type="xacml:ContextOtherType"/> > <complexType name="ContextOtherType"> > <sequence> > <element ref="xacml:Assertion" minOccurs="0" maxOccurs="unbounded"/> > </sequence> > </complexType> > > <element name="xacml:Assertion" type="xacml:AssertionType"/> > <complexType name="AssertionType"> > <sequence> > <choice maxOccurs="unbounded"> > <element ref="xacml:AuthenticationStatement"/> > <element ref="xacml:AuthorizationDecisionStatement"/> > <element ref="xacml:AttributeStatement"/> > </choice> > </sequence> > <attribute name="Issuer" type="string" use="required"/> > <attribute name="IssueInstant" type="dateTime" use="optional"/> > </complexType> > > <complexType name="AbstractStatementType" type="abstract"> > <sequence> > <element ref="xacml:AssnSubject" minOccurs="0" maxOccurs="1"/> > </sequence> > </complexType> > > <element name="AssnSubject" type="xacml:AssnSubjectType"/> > <complexType name="AssnSubjectType"> > </complexType> > <complexType name="AuthenticationStatementType"> > <complexContent> > </complexContent> > </complexType> > </schema> > > > ============================================================ > XACML Response Context Schema (temporary result from the F2F discussion, > may not be valid!) > > <?xml version="1.0" encoding="UTF-8"?> > <schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault > ="unqualified" attributeFormDefault="unqualified"> > > <element name="ResponseContext" type="xacml:ResponseContextType"/> > <complextType name="ResponseContextType"> > <sequence> > <element ref="xacml:Decision" minOccurs="1" maxOccurs="1"/> > </sequence> > </complexType > > <element name="Decision" type="xacml:DecisionType"/> > > <element name="Permit" type="xacml:EffectDecisionType"/> > <element name="Deny" type="xacml:EffectDecisionType"/> > <element name="Indeterminate" type="xacml:IndeterminateDecisionType"/> > > <complexType name="DecisionType" abstract="true"/> > > <complexType name="EffectDecisionType"> > <extension base="DecisionType"> > <sequence> > <element ref="xacml:Oligations"> > </sequence> > </extension> > </complexType> > > <complexType name="IndeterminateDecisionType"> > <extension base="DecisionType"> > <sequence> > <element ref="xacml:Advice"> > </sequence> > </extension> > </complexType> > > <element name="Obligations" type="xacml:ObligationsType"/> > <complexType name="ObligationsType"> > <sequence> > <element ref="xacml:Obligation" minOccurs="0" maxOccurs="unbounded"/> > </sequence> > </complexType> > > <element name="Obligation" type="xacml:ObligationType"/> > <complexType name="ObligationType"> > <attribute name="uri" type="anyURI"/> > <sequence> > <element ref="xacml:Parameter" minOccurs="0" maxOccurs="unbounded"/> > </sequence> > </complexType> > > <element name="Advice" type="xacml:AdviceType/> > <complexType name="Advice" type="xacml:AdviceType"> > ..... > </complexType> > </schema> > > > > > > ernesto damiani > <edamiani@crema To: Anne.Anderson@Sun.com, XACML TC <xacml@lists.oasis-open.org> > .unimi.it> cc: > Subject: [xacml] Mon 29th concall - URGENT > 2002/04/29 > 18:28 > Please respond > to ernesto > damiani > > > > > > > Dear all, > I hope you all had a safe trip back and carry not-too-bad memories of your > stay in Italy. > As it was decided at the F2F the agenda for today concall will be > > 1. discussing and hopefully approving Michiharu's (and Simon) proposal for > XACML context that was sent to the list a couple of days ago. Tim comments > would be useful here. > > 2. As a possible second point, I would also like to remind you that we > still > do not have a description on our activity on the Web; Michiharu asked for > one. > Here is my proposal: > > "The Schema subcommittee is aimed at : > 1. developing XACML access control model into an XML Schema (and its > associated namespace)expressing normative XACML 1.0 syntax . > 2. providing examples of policies written in XACML based on real-world use > cases > 3. providing general, non-normative guidelines for implementation and > conformance tests." > > Anyway points two and three could be deleted if you believe we have already > our hands full at the moment. > > IMPORTANT: I had a sudden health problem (nothing serious a terrible > tootache and my face is half swollen). I am waiting for a call from my > dentist telling me when I can go and if it is during concall hours I won't > be able to attend. Sorry.. > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> > > > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC