RE: [xacml] XACML Request as "notional" XML document

[Tim Moses <tim.moses@entrust.com>]

Title: RE: [xacml] XACML Request as "notional" XML document

Anne - Thanks for taking the trouble to consult Eve.  My reading is that she identifies one potential problem that (I believe) will not apply in our case.  The "transformer" that transforms saml to xacmlContext will start a session with the PDP, in which it requests a decision.  Any subsequent requests for attributes by the PDP will be in that session.  Therefore, the transformer will be able to relate those attribute requests to its decision request.

Changing the name from request context to query context would be fairly simple.  All the best.  Tim

PSS.  I am tryingg out a new keyboard.  SO, I apoliose for the porr tyoings.

-----------------------------------------
Tim Moses
Tel: 613.270.3183

-----Original Message-----
From: Anne Anderson [mailto:Anne.Anderson@Sun.com]
Sent: Friday, July 19, 2002 8:48 AM
To: XACML TC
Subject: [xacml] XACML Request as "notional" XML document

Tim had asked me to ask Eve Maler what she thought about our idea
of the XACML Request being a "notional" document, rather than a
physical document.  I see two "issues" from her response:

1. Should we rename XACML "Request" to "Query"?
2. Do we want to incur the cost of "data bindings" and "COM-based
   processing" to handle references to such a "notional" XML
   document?

Anne
------- start of forwarded message -------
From: "Eve L. Maler" <eve.maler@sun.com>
To: Anne.Anderson@sun.com
Subject: Re: "notional" XML document
Date: Thu, 18 Jul 2002 15:51:56 -0400

Hi Anne,

A question before I try to answer yours: If the XACML Request element is
sort of a SAML AuthorizationDecisionQuery, should it really be called a
Query instead?  SAML's query and request levels really do two different
things; the request is the wrapper that has some housekeeping stuff and
the query contains the "guts".

Regarding the notion of notional documents :-): I'm having a little
trouble picturing what's going on.  I could see a policy being accessed
in a virtual manner, but why would a request need to be accessed this
way?  But assuming that it does, there's often no problem in treating
XML structures virtually rather than physically.  Data bindings and
DOM-based processing do this; they certainly don't physically walk an
angle-bracket-laden flat file.  The sort of problem you might have with
this is dereferencing unique IDs for policies/requests/whatever; you
just need to be sure that what you're accessing is persistent enough for
your purposes.

I still may be missing your point, though.  If you think F2F
conversation might help, perhaps we could get together tomorrow.  (I'm
working from home today.)  What do you think?

        Eve

Anne Anderson wrote:
> XACML is defining an XML document, called the xacml:Request, that
> will describe the access request being evaluated.  This document
> is similiar to a SAML AuthorizationDecisionQuery, but is designed
> for XACML requirements and extensibility (it is easy to map a
> SAML AuthorizationDecisionQuery into the XACML document, and
> being able to do so was a strong requirement for us).
>
> We are treating this Request as a "notional" document, rather
> than necessarily as a physical XML document.  Tim Moses suggested
> I ask you about your opinion on this.
>
> By "notional" document, I mean that an XACML policy can "refer"
> to the information in the Request document that is not physically
> in any single XML document.  For example, my XACML policy can
> refer to a "Role" attribute in the "Subjects" section of the
> Request, and have that reference trigger a behind the scenes
> query to an Attribute Authority to obtain the value of such an
> attribute for the subject.  The reference results in the value
> for the attribute, if it was found by the AA, just as if the
> value had been in a physical document somewhere.  If no value
> could be obtained, the reference results in a "null" value or
> error, just as if the value were not in a physical document.
>
> Any comments?
>
> Anne

--
Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 883 5917
XML Web Services / Industry Initiatives      eve.maler @ sun.com

------- end of forwarded message -------

--
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>