OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] A proposal for Context

On Mon, 6 May 2002, Simon Godik wrote:

> Polar,
> Do you mean this definition to apply to the attribute holder as well?
> Simon

That is part of the research I haven't really figured out yet. I am
assuming that one can associate attributes with a simple principal, i.e.
(P has [a1,...,an]), where P is a principal, and a1,...,an are privileges,
attributes, etc.

However, there are several other conditional authorizations that may be
formulated, such as

(P with [s1,...,s2] has [a1,...,an])

where s1,...,s2 may be a list of other attributes that P must obtain
before he is granted a1,...,an. This leaves the question open to whether P
is really a hardcoded principal, or a wild card, or that (P with
[s1,...,s2]) is just really a principal predicate.

It looks like we are currently taking the AttributeHolder to be closely
related to the X.509 Attribute Certificate, where the holder is merely a

The question I think which is now on the table is whether we still
associate the Holder in the list of attributes in the ContextSubject, or
just the Attribute Values, as in your proposal.

The way I have done this in our CORBA security implemenation, is that it
is up to the Security Service (i.e.  the PEP in this case, which is also
the thing doing all the crypto, and signature validation) to forumlate the
correct Subject before giving it to the access control system. The reason
for this approach is that the client of the access control system already
has a concept of what the subject is and what its attributes are. It's no
good for the Access Control system to be thinking otherwise.

In CORBA what I have done is the structured principal concept, but every
Principal interface has a name, a list of attributes that the Security
Service has validated associated with the complex principal:

Lets take the case where we are a database and we get a request from our
WebServer that is actiing on behalf of Ernesto:

In my psuedo data structure lanaguage the client at the Database would
look like:

Client =
      name = "Ernesto Damiani"
      privileges = [Group:D,Hospital:Doctor"];
      speaking = SimplePrincipal
                     name = "WebServer"
                     privileges = "Group:D"
                     alt_names = []
      speaking_For = SimplePrincipal
                     name = "Ernesto Daminani"
                     privileges = ["Hospital:Doctor"]
                     alt_names = ["rfc822:edamiani@crema.unimi.it"]

You can see here, that the name is lifted up from speaking_for because
most access control systems may not care about the intermediates, but
can dig for them if they want. Also, as far as the privileges go, the
security service as unioned them together due to some validation and
reconciliation of the authorization data, cyrptographic or otherwise.

This is done in the security service (I.e. the PEP), because you don't
want the Access Control system coming up with a different answer than what
the PEP did.

According to this approach, I would probably follow your protocol and
only consider attributes that are associated with the principal in
question, and elminate AttributeHolder in the ContextSubject.

Grouping Attributes under Principal as above might work better?

How do others feel about this approach?


> ----- Original Message -----
> From: "Polar Humenn" <polar@syr.edu>
> To: "XACML" <xacml@lists.oasis-open.org>
> Sent: Monday, May 06, 2002 7:54 AM
> Subject: [xacml] A proposal for Context
> >
> > I have a small proposal on Simon's context.
> >
> > 1. We do not call the "subject" of the AuthorizationQuery the "Requestor".
> >
> > The "subject" of the authorization query is merely the subject, it is
> > not really requesting anything. I don't hold really hold to the idea
> > that the subject always "requesting access".
> >
> > I'd rather see the subject of the request be a structured principal, at
> > first, just one level, but later be able to be extended for more complex
> > principals.
> >
> > <x:Principal>
> > <x:NameIdentifier>....</x:NameIdentifier>
> > </xPrincipal>
> >
> > <x:SimplePrincipal>
> > <x:NameIdentifier>....</x:NameIdentifier>
> > <x:AlternateNames>
> >    <x:NameIdentifier>...<x:NameIdentifer>
> > </x:AlternateNames>
> > </x:SimplePrincipal>
> >
> >
> > and later on extend Principal to be Complex Principal, such as
> >
> > <x:ForPrincipal>
> >    <x:Speaking>
> >       <x:SimplePrincipal>....</x:SimplePrinipal>
> >    </x:Speacking>
> >    <x:SpeakingFor>
> >       <x:SimplePrincipal>....</x:SimplePrinipal>
> >    </x:SpeackingFor>
> > </x:ForPrincipal>
> >
> > Cheers,
> > -Polar
> >
> >
> > ----------------------------------------------------------------
> > To subscribe or unsubscribe from this elist use the subscription
> > manager: <http://lists.oasis-open.org/ob/adm.pl>
> >
> >
> >

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC