Re: [xacml] Request and Response Context Schemas - Take 2

[Michiharu Kudoh <KUDO@jp.ibm.com>]

I just meant that I would prefer symmetry.
I think only one resource should be specified for usual access request.
I wanted to see the example that specifies <Holder> that is different from
the description in PrincipalID.

Michiharu

IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428




                                                                                                                 
                    Anne Anderson                                                                                
                    <Anne.Anderson       To:     Michiharu Kudoh/Japan/IBM@IBMJP                                 
                    @Sun.com>            cc:     XACML TC <xacml@lists.oasis-open.org>                           
                                         Subject:     Re: [xacml] Request and Response Context Schemas - Take 2  
                    2002/06/06                                                                                   
                    02:11                                                                                        
                    Please respond                                                                               
                    to                                                                                           
                    Anne.Anderson                                                                                
                                                                                                                 
                                                                                                                 



On 5 June, Michiharu Kudoh writes: Re: [xacml] Request and Response Context
Schemas - Take 2
 > I am not clear on your sentence "If we ever expect to have multiple
 > resources, we need to know which actions go with which resource, and
this
 > makes that association." Does this mean that PEP can ask PDP with more
than
 > two or more pairs of resource and action (e.g. read a.xml and update
b.xml)
 > per one access request?

My mistake.  I thought you were proposing multiple resources in
your 3 Jun 2002 message titled "Observation on J2SE context
proposal":

> (here I am assuming that <ContextResource> and
> <ContextAction> have a child element called <Resource> and <Action>,
> respectively.)

I think it is OK to allow just one resource.  As long as we allow
just one resource, then any actions are automatically associated
with that resource.  It is only if we decide to allow more than
one resource that it becomes an issue to associate actions with a
particular resource.

 > As far as I understand, each <Principal> consists of optional
<PrincipalID>
 > and any number of <Attribute> that consists of optional <Holder> and one
 > <AttributeValue> that can contain anything in it. Is that correct?

Yes.  The <Attribute>s that are included in a <Principal> should
not have a <Holder> element (or else, failure of Holder element
to match the <Principal/NameIdentifier> element is an error).

 > I am
 > wondering whether <PrincipalID> differs from <Holder> or not.

It does not.  My proposed definition of Holder has
type="xacml:PrincipalIDType".

 > Since <ContextPrincipals> allows multiple <Principal>s, I
 > thought that each <Principal> has different <PrincipalID>
 > specified by <NameIdentifier> that is equal to <Holder> (that
 > also consists of <NameIdentifier>) of the <Attribute>.  I
 > would like to see XACML Context example based on your schema.

Here is the previous example based on the new schema (but with
only one resource.  Note that the <Attribute> does not include a
Holder, since the Holder is implicit from the <NameIdentifier>:

<xacml:RequestContext>
    <xacml:ContextPrincipals>
        <xacml:Principal PrincipalType="j2se:RequestingUser">
            <xacml:NameIdentifier Format="itu:X500DistinguishedName">
                "cn=Anne,ou=SunLabs,o=Sun,c=US"
            </xacml:NameIdentifier>
        </xacml:Principal>
        <xacml:Principal PrincipalType="j2se:RequestingUser">
            <xacml:NameIdentifier Format="ietf:RFC822Name">
                "Anne.Anderson@Sun.COM"
            </xacml:NameIdentifier>
        </xacml:Principal>
        <xacml:Principal PrincipalType="j2se:CodeSource">
            <xacml:NameIdentifier Format="ietf:URL">
                "http://java.sun.com/jdk1.4/classes";
            </xacml:NameIdentifier>
            <xacml:Attribute AttributeName="j2se:SignedBy">
                <xacml:AttributeValue>
                    "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US"
                </xacml:AttributeValue>
                <xacml:AttributeValue>
                    "cn=SunSigner,o=Sun,c=US"
                </xacml:AttributeValue>
            </xacml:Attribute>
        </xacml:Principal>
    </xacml:ContextPrincipals>
    <xacml:ContextResource>
        <xacml:ResourceSpecifier ResourceURI
="file:/net/saguaro/home/zoe/status.txt"/>
    </xacml:ContextResource>
    <xacml:ContextActions>
        <xacml:Action>
            "read"
        </xacml:Action>
    </xacml:ContextActions>
</xacml:RequestContext>

Anne
--
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>