OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml] Request and Response Context Schemas - Take 2


On 5 June, Polar Humenn writes: Re: [xacml] Request and Response Context Schemas - Take 2
 > I would really like to get rid of this "multiple" principals concept, and
 > go with a structured principal. That way the security software can
 > construct the proper principal.

As I said before, I don't think we are ready to define a
structured resource.  Yes, we could use the relationships
described in "A Calculus for Access Control in Distributed
Systems" by Abadi, Burrows, Lampson, and Plotkin, but: we don't
have a model for how a policy writer should use this structure in
writing real policies.  For example, do I trust
Anne.Anderson@Sun.COM to have access to resource X as long as the
request asserts that all intermediaries are "quoting" her?  Do I
trust saguaro.east.sun.com "quoting" java.io.InputStream
"speaking for" Anne.Anderson@Sun.COM.  Theoretically, I think the
structure, and maybe the use model, are available, but I think it
will take more time than we have right now to incorporate that
into XACML.  Having multiple role-defined Principals is a way to
work around this problem in the meantime, and I, at least, have a
clear idea of how that is used in policy statements, since it is
the same way PolicyFile is used now.

 > As for having multiple resources, I disagree. We have to limit the
 > "request" to something specific, so we aren't doing too much guessing at
 > the policy end, i.e. at most 1 (structured) principal, 1 resource, 1
 > action.

I am happy to go with one resource.  I think more than one action
is probably useful.  See above for 1 (structured) principal.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC