Re: [xacml] Observation on J2SE context proposal (fwd)

[Polar Humenn <polar@syr.edu>]

---------- Forwarded message ----------
Date: Mon, 3 Jun 2002 09:46:03 -0400 (EDT)
From: Polar Humenn <polar@syr.edu>
To: Michiharu Kudoh <KUDO@jp.ibm.com>
Subject: Re: [xacml] Observation on J2SE context proposal


I also have some comments on the ContextPrincipal proposal.

At the very outset, I see that we are quickly going toward the notion of a
"ComplexPrincipal".

I would rather see ONE principal, and that principal be structured
appropriately by the way the security software (PEP?) sees the principal
that is the subject of the access decision request.

I can see the need of having multiple principals, i.e.  CodeSource and
Subject, etc. but these are not "principal types" they are "roles" played
by simple or complex principals.

The principal calculus denotes such things as "P as R", where P is a
(possibly complex) principal, and R is a role, (or a simple principal).

You may, for example, have principal Gates be the subject of the access
decision, however, he is running code signed by both Sun and Microsoft.

This complex principal would look like:

((Sun 'and' Microsoft) 'as' CodeSource) 'quotes' Gates)

So, instead of having a mismash of principals in the Context, of which the
policy engine must guess what is happening at the PEP, the security
software on the PEP prepares the request setting up the structured
princpal appropriately.

Also, for the record, and I will keep on saying this, as I have said
before, I believe that the "RequestingUser" or "Requestor" has the wrong
connotation in this situation. Formally, in the PDP context, the
"requestor" should be the thing asking the access decision question, which
has NOTHING to do with the "subject" of the access decision request. I
believe the actual "requestor" in this situation,(i.e. the PEP?), is out
of scope of the policy itself.

Cheers,
-Polar