OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml] Mon 29th concall - URGENT


Hi

i will not be able to participate in the concall also (i am out of the office)

best
-p

On Mon, 29 
Apr 2002, Michiharu Kudoh wrote:

> 
> I will not be able to join the confcall today because of the schedule
> conflicts. Since I had little time to update the current proposal, I just
> attach below the same document I sent the other day, and also attach the
> XACML Context schema and XACML Response Context schema without any
> modification from the discussion in F2F in Milan.
> 
> Best regards,
> Michihairu Kudo
> 
> IBM Tokyo Research Laboratory, Internet Technology
> Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428
> ===============================================================
> Proposal Draft for XACML Context
> April 23, 2002
> Author:  Michiharu Kudo
> 
> This proposal introduces an XACML Context that defines input parameters to
> XACML policy evaluation engine. A primary purpose of the XACML Context is
> to facilitate the attribute expression that refers to input parameters of
> the XACML.
> 
> 1.   Issues
> When XACML policy evaluation processor tries to retrieve values specified
> in SAML Request, it potentially causes the following problems:
> 
> - A policy writer needs to add a couple of information that may not be
> included in SAML Request, e.g. distinction between subject attribute and
> resource attribute.
> - XACML policy specification greatly depends on SAML Request syntax and the
> semantics that may be updated from time to time.
> - Since several assertion specification format/syntax/semantics have been
> proposed/deployed, SAML dependent XACML policy specification may reduce the
> applicability of XACML policy specification.
> 
> 2.  XACML Context
> We introduce the notion of XACML Context that functions as an intermediate
> assertion-neutral input data structure. XACML Context is represented by an
> XML document (logically it is not necessarily a physical XML instance but
> hypothetical XML document) that contains enough information for XACML
> processor such as subject attributes (e.g. role of the requesting
> principal), resource attributes (e.g. size of resource), and miscellaneous
> attributes (e.g. current time). While we assume that all the input to XACML
> Context is retrieved from the corresponding SAML Request, there is a case
> where the PDP supplies a set of attribute type-value pairs for subjects and
> resources. It depends on configuration of PDP.
> 
> 2.1 Merits
> -    XACML Policy specification becomes simpler with respects to attribute
> reference and its expression.
> -    XPath computation is done only once when the transformation from
> original access request to XACML Context is performed.
> -    XACML processor does not have to compute XPath expression on target
> XML resource that might cause performance bottleneck particularly when the
> target XML is huge.
> -    When target resource is XML, XACML policy does not have to be aware
> the difference between remote XML instance (referred by URI) and local XML
> instance embedded in original access request.
> 
> 2.2 Proposal
> 
> 1.   XACML policyStatement (and/or policySetStatement) specifies optional
> <transforms> element that defines the syntax and the semantics of the XACML
> Context.
> 
> 2.   <transforms> is described using XSLT syntax.
> 
> 3.   When <transforms> element is specified in <policyStatement>, PDP
> performs a set of transformations against the SAML Request (if access
> request is represented in SAML) and the requested XML target resource (if
> target is XML resource)
> 
> 4.   Once the transformation is performed, input to the XACML processor
> including access request and relevant information is specified as a
> potentially simple XML document which element name is easily referred by
> simple XPath expressions (e.g. /context/subject/NameIdentifier) in both
> <target> section and <condition> section.
> 
> 5.   Through the face-to-face discussion by TC members, we decided to
> define an XML schema for XACML Context.
> The following figure shows a data-flow of XACML Context-based Architecture.
> (refer to the pdf or word file)
> 
> ============================================================
> XACML Context Schema  (temporary result from the F2F discussion, may not be
> valid)
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <schema xmlns:xs="http://www.w3.org/2001/XMLSchema"; elementFormDefault
> ="unqualified" attributeFormDefault="unqualified">
> <complexType name="ContextType">
>    <sequence>
>       <element ref="xacml:ContextPrincipal"/>
>       <element ref="xacml:ContextResource"/>
>       <element ref="xacml:ContextAction">
>       <element ref="xacml:ContextRequestParameters"/>
>       <element ref="xacml:ContextOther"/>
>    </sequence>
> </complexType>
> 
> <element name="ContextPrincipal" type="xacml:ContextPrincipalType"/>
> <complexType name="ContextPrincipalType">
>    <sequence>
>       <element ref="xacml:PrincipalSpecifier" minOccurs="1" maxOccurs
> ="unbounded"/>
>       <element ref="xacml:Assertion" minOccurs="0" maxOccurs="unbounded"/>
>    </sequence>
> </complexType>
> 
> <complexType name="PrincipalSpecifierAbstractType" abstract="true"/>
> 
> <element name="SimplePrincipalSpecifier" type
> ="xacml:SimplePrincipalSpecifierType"/>
> <complexType name="SimplePrincipalSpecifierType">
>    <complexContent>
>       <extension base="xacml:PrincipalSpecifierAbstractType">
>          <choice>
>             <sequence>
>                <element ref="NameIdentifier">
>                <element ref="SubjectConfirmation" minOccurs="0"/>
>             </sequence>
>             <element ref="SubjectConfirmation"/>
>          </choice>
>       </extension>
>    </complexContent>
> </complexType>
> 
> <element name="ContextResource" type="xacml:ContextResourceType"/>
> <complexType name="ContextResourceType">
>    <sequence>
>       <element ref="xacml:ResourceSpecifier"/>
>       <element ref="xacml:Assertion" minOccurs="0" maxOccurs="unbounded"/>
>    </sequence>
> </complexType>
> 
> <element name="ResourceSpecifier" type="xacml:ResourceSpecifierType"/>
> <complexType name="ResourceSpecifierType">
> <sequence>
>    <element ref="Content" minOccurs="0"/>
> </sequence>
> <attribute name="uri" type="anyURI" use="optional"/>
> </complexType>
> 
> <element name="Content" type="anyType"/>
> 
> <element name="ContextAction" type="xacml:ContextActionType"/>
> <complexType name="ContextActionType">
>    <element ref="xacml:ActionSpecifier"/>
> </complexType>
> 
> <element name="ContextRequestParameters" type
> ="xacml:ContextRequestParametersType"/>
> <complexType name="ContextRequestParametersType">
>    <sequence>
>       <element ref="xacml:Parameter" minOccurs="0" maxOccurs="unbounded"/>
>    </sequence>
> </complexType>
> 
> <element name="ContextOther" type="xacml:ContextOtherType"/>
> <complexType name="ContextOtherType">
>    <sequence>
>       <element ref="xacml:Assertion" minOccurs="0" maxOccurs="unbounded"/>
>    </sequence>
> </complexType>
> 
> <element name="xacml:Assertion" type="xacml:AssertionType"/>
>    <complexType name="AssertionType">
>       <sequence>
>          <choice maxOccurs="unbounded">
>             <element ref="xacml:AuthenticationStatement"/>
>             <element ref="xacml:AuthorizationDecisionStatement"/>
>             <element ref="xacml:AttributeStatement"/>
>          </choice>
>       </sequence>
>      <attribute name="Issuer" type="string" use="required"/>
>       <attribute name="IssueInstant" type="dateTime" use="optional"/>
>    </complexType>
> 
>    <complexType name="AbstractStatementType" type="abstract">
>       <sequence>
>          <element ref="xacml:AssnSubject" minOccurs="0" maxOccurs="1"/>
>       </sequence>
>    </complexType>
> 
>    <element name="AssnSubject" type="xacml:AssnSubjectType"/>
>    <complexType name="AssnSubjectType">
>    </complexType>
>    <complexType name="AuthenticationStatementType">
>       <complexContent>
>       </complexContent>
>    </complexType>
> </schema>
> 
> 
> ============================================================
> XACML Response Context Schema  (temporary result from the F2F discussion,
> may not be valid!)
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <schema xmlns:xs="http://www.w3.org/2001/XMLSchema"; elementFormDefault
> ="unqualified" attributeFormDefault="unqualified">
> 
> <element name="ResponseContext" type="xacml:ResponseContextType"/>
> <complextType name="ResponseContextType">
>   <sequence>
>      <element ref="xacml:Decision" minOccurs="1" maxOccurs="1"/>
>   </sequence>
> </complexType
> 
> <element name="Decision" type="xacml:DecisionType"/>
> 
> <element name="Permit" type="xacml:EffectDecisionType"/>
> <element name="Deny" type="xacml:EffectDecisionType"/>
> <element name="Indeterminate" type="xacml:IndeterminateDecisionType"/>
> 
> <complexType name="DecisionType" abstract="true"/>
> 
> <complexType name="EffectDecisionType">
>    <extension base="DecisionType">
>      <sequence>
>        <element ref="xacml:Oligations">
>      </sequence>
>    </extension>
> </complexType>
> 
> <complexType name="IndeterminateDecisionType">
>    <extension base="DecisionType">
>      <sequence>
>        <element ref="xacml:Advice">
>      </sequence>
>    </extension>
> </complexType>
> 
> <element name="Obligations" type="xacml:ObligationsType"/>
> <complexType name="ObligationsType">
>    <sequence>
>       <element ref="xacml:Obligation" minOccurs="0" maxOccurs="unbounded"/>
>    </sequence>
> </complexType>
> 
> <element name="Obligation" type="xacml:ObligationType"/>
> <complexType name="ObligationType">
>    <attribute name="uri" type="anyURI"/>
>    <sequence>
>      <element ref="xacml:Parameter" minOccurs="0" maxOccurs="unbounded"/>
>    </sequence>
> </complexType>
> 
> <element name="Advice" type="xacml:AdviceType/>
> <complexType name="Advice" type="xacml:AdviceType">
>   .....
> </complexType>
> </schema>
> 
> 
> 
> 
>                                                                                                                     
>                     ernesto damiani                                                                                 
>                     <edamiani@crema       To:     Anne.Anderson@Sun.com, XACML TC <xacml@lists.oasis-open.org>      
>                     .unimi.it>            cc:                                                                       
>                                           Subject:     [xacml] Mon 29th concall - URGENT                            
>                     2002/04/29                                                                                      
>                     18:28                                                                                           
>                     Please respond                                                                                  
>                     to ernesto                                                                                      
>                     damiani                                                                                         
>                                                                                                                     
>                                                                                                                     
> 
> 
> 
> 
> Dear all,
> I hope you all had a safe trip back and carry not-too-bad memories of your
> stay in Italy.
> As it was decided at the F2F the agenda for today concall will be
> 
> 1. discussing and hopefully approving Michiharu's (and Simon) proposal for
> XACML context that was sent to the list a couple of days ago. Tim comments
> would be useful here.
> 
> 2. As a possible second point, I would also like to remind you that we
> still
> do not have a description on our activity on the Web; Michiharu asked for
> one.
> Here is my proposal:
> 
> "The Schema subcommittee is aimed at :
> 1. developing XACML access control model into an XML Schema (and its
> associated namespace)expressing normative XACML 1.0 syntax .
> 2. providing examples of policies written in XACML based on real-world use
> cases
> 3. providing general, non-normative guidelines for implementation and
> conformance tests."
> 
> Anyway points two and three could be deleted if you believe we have already
> our hands full at the moment.
> 
> IMPORTANT: I had a sudden health problem (nothing serious a terrible
> tootache and my face is half swollen). I am waiting for a call from my
> dentist telling me when I can go and if it is during concall hours I won't
> be able to attend. Sorry..
> 
> 
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
> 
> 
> 
> 
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
> 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC