OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] 7.7 Obligations

On Tue, 8 Oct 2002, Daniel Engovatov wrote:

>
> >not sure how you come to this conclusion: conformance is now more difficult
> for the reasons stated above. rather
> >than taking the position:
>
> >"if you don't understand the decision, effectively DENY--ALL PEPs behave
> the SAME"
>
> Pardon me for repeating a question:  why DENY?  Is not a decision with
> obligation just another kind of decision - and when an unambiguous and
> deterministic decision is reached - XACML land ends.  Enforcement point may
> lock you out of a building, or open floodgates and drown your town - on
> either PERMIT, or DENY.  Or shut itself down when it cannot understand the
> obligation.  It does not seem to me that the action taken by PEP is in the
> scope of XACML at all.

Well, I agree with that, but there does have to be some standard
interpretation that is agreed upon to the intended meaning of an access
decision for a PEP to make sense of the decision. This is the semantics of
XACML.

Let's say a PDP emitted 0,1,2,3 as results.

Which means what?

So, according to the semantics of XACML and the way policy in XACML is
written, it is intended that:

"Permit" intends to Permit access
"Deny" intends to Deny access

Indeterminate, and Inapplicable are bi-products of that query that need
to be dealt with, probably by interpretation on the configuration of the
application's PEP with the PDP.

> And I agree - adding any protocol to communicate whether PEP understands
> anything is an unworkable complexity..

The PEP better understand something! :)

I wouldn't say it is unworkable. The PEP knows what obligations it can
satisfy or else it wouldn't be able to answer the understandablity
question.  The PDP knows just evaluating XACML the obligations that it
will emit.  If the obligations are straight URIs or URNs, then
intersection based on URI/N equality, is good enough to answer that
question, but the PDP is given the wherewithall to make that decision in a
standard way.

-Polar

> Daniel;
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC