OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] Comparing XACML with WS Policy framework


I am not clear on the example you wrote. Could you explain that more in


                      Tim Moses                                                                                                        
                      <tim.moses@entrus        To:       Tim Moses <tim.moses@entrust.com>, "'XACML'" <xacml@lists.oasis-open.org>     
                      t.com>                   cc:                                                                                     
                                               Subject:  RE: [xacml] Comparing XACML with WS Policy framework                          
                      2003/01/30 22:55                                                                                                 

Colleagues - A couple more observations:

1. Early in the XACML project we clarified that "combining" meant combining
the "results" of policies or rules, rather than combining policies
themselves.  It seems now that there is a need to combine policies and
rules also.  I expect that it is only practical to combine isomorphic
policies or rules.  This is why the WSS-QoP specification defined a rigid
structure of services containing mechanisms, with an implied logic ("and"
for services and "or" for mechanisms).

2. WSPF supports capabilities.  In this context "capabilities" means
functions that a service "can", and "is willing", to perform, but that it
is not "required" to perform.  The authors introduce an ad hoc logic system
to express this.  XACML is also capable of expressing capabilities within
its formal logic system.  This is best illustrated by an example:

<policyId = Policy1>

This indicates that the target of the policy has the capability:
Capability1.  It is of little interest to a PDP, which would always
evaluate this expression to "true".  However, an algorithm that combines
this policy with the policy:

<policyId = Policy2>

would create the definitive policy:

<policyId = Policy3>

which would be acceptable to the authors of both Policy1 and Policy2.

All the best.  Tim.
      -----Original Message-----
      From: Tim Moses [mailto:tim.moses@entrust.com]
      Sent: Wednesday, January 29, 2003 4:16 PM
      To: 'XACML'
      Subject: [xacml] Comparing ACME with WS Policy framework

      Colleagues - Here are some preliminary thoughts on the relationship
      between the OASIS standard XACML and the proprietary WS Policy
      framework.  I am interested in other people's views.  All the best.

      Tim Moses

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC