OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] <ContextPrincipal>

I am finally getting some time to review the various proposals
that have come out since the Milan Face-to-Face.  We had to get
out a release of our X.509 Attribute Certificate support...

I have an issue with the proposed <ContextPrincipal> syntax.
This issue answers and addresses Simon's question about the
relationship between multiple subjects.

Current proposal (from Simon's e-mail dated 7 May, titled
"[xacml] request and response context schema":

 <xs:element name="ContextPrincipal" type="xacml:ContextPrincipalType"/>
 <xs:complexType name="ContextPrincipalType">
     <xs:sequence>
         <xs:element ref="xacml:AbstractPrincipal" maxOccurs="unbounded"/>
         <xs:element ref="xacml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
     </xs:sequence>
 </xs:complexType>

Assume I have a request where the user executing the thread has
authenticated as both "cn=Anne,ou=SunLabs,o=Sun,c=US" and as
"Anne.Anderson@Sun.COM".  Assume the executing code that
generated the access request was downloaded from
"http://java.sun.com/jdk1.4/classes";.  Assume the code was signed
by two certificates with subject names
"cn=J2SESigner,ou=JavaSoft,o=Sun,c=US" and by
"cn=SunSigner,o=Sun,c=US".

As I understand it, we might try to express the multiple subjects
in this J2SE policy decision using this syntax as follows.

 <xacml:ContextPrincipal>
A    <xacml:SimplePrincipal>
         <xacml:NameIdentifier Format="X500Name">
             cn=Anne,ou=SunLabs,o=Sun,c=US
         </xacml:NameIdentifier>
     </xacml:SimplePrincipal>
B    <xacml:SimplePrincipal>
         <xacml:NameIdentifier Format="RFC822">
             Anne.Anderson@Sun.COM
         </xacml:NameIdentifier>
     </xacml:SimplePrincipal>
C    <xacml:SimplePrincipal>
         <xacml:NameIdentifier Format="URL">
             http://java.sun.com/jdk1.4/classes
         </xacml:NameIdentifier>
     </xacml:SimplePrincipal>
X    <xacml:Attribute AttributeName="SignedBy" AttributeFamily="J2SE">
                      Issuer="PEP" IssueInstant="5.24.02:05002Z">
         <AttributeValue>
             cn=J2SESigner,ou=JavaSoft,o=Sun,c=US
         </AttributeValue>
         <AttributeValue>
             cn=SunSigner,o=Sun,c=US
         </AttributeValue>
     </xacml:Attribute>
 </xacml:ContextPrincipal>

Note that Principals A and B are the same entity.  Attribute X
applies to Principal C, but not to Principals A and B.

The problem is, this syntax does not tell us
  1) What "role" each principal is playing (Simon's question
     about what is the relationship between multiple subject
     principals),
  2) Which SimplePrincipals refer to the same entity,
  3) Which attributes go with which SimplePrincipals.

We might be able to use the optional "NameQualifier" to specify
the "role" of each SimplePrincipal ("Executing user", "Executing
codebase", etc.), or by the use of <ComplexPrincipal>, but there
still needs to be some structural change to cover the attribute
associations.

I recommend something like the following.

 <xs:element name="ContextPrincipals" type="xacml:ContextPrincipalsType"/>
 <xs:complexType name="ContextPrincipalsType">
     <xs:sequence>
         <xs:element> ref="xacml:ContextPrincipal" maxOccurs="unbounded"/>
     </xs:sequence>
 </xs:complexType>
 <xs:element name="ContextPrincipal" type="xacml:ContextPrincipalType"/>
 <xs:complexType name="ContextPrincipalType">
     <xs:sequence>
         <xs:element ref="xacml:AbstractPrincipal" maxOccurs="unbounded"/>
         <xs:element ref="xacml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
     </xs:sequence>
     <xs:attribute name="PrincipalType" type="xs:string" use="required"/>
 </xs:complexType>

This now allows attributes to be associated with their principal,
allows multiple identities for the same principal/entity to be
grouped together, and allows the type or role of the principal to
be specified ("ExecutingUser", "CodeBase", "ExecutionMachine").

I think <ComplexPrincipal> is probably a better way to handle
multiple principals in the long run, but I don't think the
current specification for <ContextPrincipal> is useful when using
more than one principal.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC