OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [XACML] Privacy & Security

On 3 May, JMaclean@affinitex.com writes: [XACML] Privacy & Security
 > 4 - Integrity of Policy 
 > It is important to ensure that the policy statement have not altered since
 > they were originally prepared by the PAP.  In the many cases, this can be
 > achieved by ensuring the integrity of the systems and implementing session
 > level techniques to secure the communication between. 
 > 
 > However, when policy is distributed between organizations to be acted a pone
 > at a later or when the policy travels with data, it is necessary to have
 > some meta about the policy statements such as who authored the policy and
 > when it was written.  In these cases, it will be useful to have digital
 > signature of the policy included with the meta data about the policy.    

There is no connection between "it is necessary to have some
meta[data] about the policy statements such as who authored the
policy and when it was written." and "it will be useful to have
digital signature of the policy included with the meta data about
the policy."  The signatures can be validated separately and
independently from the meta-data about who authored the policy
and when it was written.

 > 6 - Elements included by reference 
 > There is a risk that references and extensions contained with in a policy
 > statement may have altered since the policy was originally created and thus
 > changing the intent of the policy statement.  For instance if a
 > <policystatement> includes a rule by reference, there is no guarantee that
 > rule has not been changed.  In the case of a rule a <ruledigest> element may
 > be used to unique identify the rule.  The <ruledigest> element contains a
 > hash of the original rule.  In other cases, a digital signature of the
 > source item could be included with the reference. This technique will allow
 > the PDP to ensure that rule or extension had not been altered.

We may no longer need a <ruledigest> element in order to uniquely
identity the rule content.  XMLDSig includes mechanisms for
specifying signature over pointers and signature over content
pointed to.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC