[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [XACML] Privacy & Security
On 3 May, JMaclean@affinitex.com writes: [XACML] Privacy & Security > 4 - Integrity of Policy > It is important to ensure that the policy statement have not altered since > they were originally prepared by the PAP. In the many cases, this can be > achieved by ensuring the integrity of the systems and implementing session > level techniques to secure the communication between. > > However, when policy is distributed between organizations to be acted a pone > at a later or when the policy travels with data, it is necessary to have > some meta about the policy statements such as who authored the policy and > when it was written. In these cases, it will be useful to have digital > signature of the policy included with the meta data about the policy. There is no connection between "it is necessary to have some meta[data] about the policy statements such as who authored the policy and when it was written." and "it will be useful to have digital signature of the policy included with the meta data about the policy." The signatures can be validated separately and independently from the meta-data about who authored the policy and when it was written. > 6 - Elements included by reference > There is a risk that references and extensions contained with in a policy > statement may have altered since the policy was originally created and thus > changing the intent of the policy statement. For instance if a > <policystatement> includes a rule by reference, there is no guarantee that > rule has not been changed. In the case of a rule a <ruledigest> element may > be used to unique identify the rule. The <ruledigest> element contains a > hash of the original rule. In other cases, a digital signature of the > source item could be included with the reference. This technique will allow > the PDP to ensure that rule or extension had not been altered. We may no longer need a <ruledigest> element in order to uniquely identity the rule content. XMLDSig includes mechanisms for specifying signature over pointers and signature over content pointed to. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC