OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Proposal for WI#2: Location Information

2: Location Information

  Way to pass location information needed to evaluate a policy.
  Examples of such information are:
    o where to find various Attributes,
    o where Attribute Authorities to be used are located
    o where to find function, combining algorithm, data-type,
      Attribute parsing code
  Such information might be embedded in either of
   a. an XACML Request
   b. an XACML policy



  Any XACML implementation that will use attributes other than
  those passed in from the PEP needs to have a way to locate and
  retrieve those attributes.  Often the PEP or the policy writer
  will know where and how a given attribute can or should be
  retrieved, but there is currently no way to express this
  information in XACML.

  XACML is also designed to be extensible to support new
  functions and data types.  Any XACML implementation will need
  to include new executable modules for handling these new
  functions and data types.  A policy writer may know where
  appropriate downloadable executable modules are located, but
  again, there is no way to express this information in an XACML
  policy.  In particular, PDPs implemented in languages such as
  the Java language can use such information to support
  extensions without needing to modify the standard PDP.

  This requirement is based on actual experience with XACML
  1.0/1.1 and the comments and requests received from users of
  Sun's XACML Implementation Open Source project at


  1. What is the syntax for such information


  The following is a portion of another non-XML policy language
  that included such functionality.  The <Definitions> portion of
  the following BNF specifies a syntax for expressing this
  functionality.  I propose modifying it to a suitable XML
  format consistent with XACML.

<BooleanPolicy> ::= [ <Definitions> ] <BooleanCondition>

  A <BooleanPolicy> is a statement that evaluates to 'TRUE' or
  'FALSE'.  The evaluation is done by taking a set of
  <AttributeName> <AttributeValue> pairs supplied by the PEP and
  by the configured AEPs, matching the <LocalAttributeName>s in
  the <BooleanCondition> with the <AttributeName>s in the input
  using 'define attribute' statements, substituting the
  <AttributeValue> for each corresponding <LocalAttributeName> in
  the <BooleanCondition>, then evaluating the <BooleanCondition>.

<Definitions> ::= <Definition> ';' |
                  <Definition> ';' <Definitions>

<Definition> ::= <AttributeDefinition> |
                 <PKIDefinition> |
                 <CertDefinition> |

  A <BooleanPolicy> may begin with one or more <Definitions> that
  provide information for interpreting the <BooleanCondition> of
  the policy.  There are four types of <Definition>:

<AttributeDefinition> ::=  'DEFINE' 'ATTRIBUTE'
                           'TYPE' ':' <AttributeTypeDefinition>

<LocalAttributeName> ::= <LocalName>

  For each <LocalAttributeName> that is used in a
  <BooleanCondition>, there must be an <AttributeDefinition>
  statement that describes how to establish a value for that
  attribute and how to compare values of that attribute.

<AttributeTypeDefinition> ::= ( <HowToGetValue> [ <HowToGetCode> ] ) |

  An <AttributeTypeDefinition> tells how to obtain a value for
  the corresponding attribute and, optionally, how to obtain code
  for comparing the attribute to another value.

  If <HowToGetCode> is omitted, then it is assumed that the
  <BooleanPolicy> implementation knows how to compare the
  associated attribute with another value.

  An <AttributeTypeDefinition> of 'INHERITED' is only valid when the
  <BooleanPolicy> in which it occurs is referenced as a
  <ReferencedBooleanPolicy> from another <BooleanPolicy>
  statement.  'INHERITED' indicates that the definition of the
  attribute is to come from the <BooleanPolicy> in which the
  current <BooleanPolicy> is referenced (that is, the outer

<HowToGetValue> ::= ( 'AC' <ValueSearchParameters> ) |
                    ( 'INPUT' <InputIdentifier> )

  'AC' indicates that the value for the attribute is to come from
  an Attribute Certificate.  'INPUT' indicates that the value for
  the attribute is to come from the PEP or from one of the
  configured AEPs.  If no value is supplied by the PEP, then the
  configured AEPs are asked for a value.

  There may be other <HowToGetValue> options added to the
  language in the future.

<ValueSearchParameters> ::= 'OID' ':' <OID>
                            'HOLDER' ':' <Holders>
                            'AA' ':' <AAName>

  For an 'AC' attribute, which will be obtained from an Attribute
  Certificate, the <OID> of the attribute and the <Holder> of the
  Attribute Certificate must be specified.  The
  <ValueSearchParameters> may also specify the name of the
  Attribute Authority (AA) trusted to certify this attribute

<Holders> ::= <Holder> |
              <Holder> ',' <Holders>

<Holder> ::= <TypedName> |
             <PublicKeyValue> |

<PublicKeyValue> ::= <Hex-EncodedValue>

  The <Holders> list contains names or public key values that are
  allowed as Holder names in any Attribute Certificate used to
  establish a value for this <LocalAttributeName>.  The <Holders> list
  may contain names of other attributes, the values of which are
  to be substituted for the <Holder>.

<AAName> ::= <TypedName> | <LocalCertName>

  An <AAName> is the name of an Attribute Authority trusted to
  initiate chains of Attribute Certificates assigning values for
  the associated attribute.

<InputIdentifier> ::= 'INPUTID' ':' ( <String> | <OID> )

  The <InputIdentifier> is how the attribute value will be tagged
  as it comes in from the PEP or as it is known to the configured

<HowToGetCode> ::= 'CODE' ':' <TypedCodeMethod>

<TypedCodeMethod> ::= ( 'PKI' <PKICodeSearchParameters> ) |
                      ( 'CLASS' <ClassCodeSearchParameters> )

  'PKI' indicates that the code is obtained from an X.509
  Attribute Definition Certificate located through the PKI.
  'URL' indicates that the code is obtained from a URL.  'CLASS'
  indicates that the code is to be obtained from a Java class
  binary.  Additional <TypedCodeMethod>s could be added in the

<PKICodeSearchParameters> ::= [ 'OID' ':' <OID> ]
                              [ 'ADA' ':' <ADAName> ]

  If <TypedCodeMethod> is 'PKI', then code for the attribute may
  be obtained from an Attribute Definition Certificate in the
  Public Key Infrastructure under the <ADAName>.  The attribute
  is defined by the specified <OID>.

  If the <OID> is omitted, then there are two possible defaults.
  If the attribute is an 'INPUT' type, then the <InputIdentifier>
  from the <HowToGetValue> is used, and must be an <OID>.  If the
  attribute is an 'AC' type, its <OID> is used.  If the <ADAName>
  is omitted, then attribute must be an 'AC' attribute, and the
  ADA defaults to the <AAName>

<ClassCodeSearchParameters> ::= [ <JavaClassName> ]
                                [ 'URL' ':' <URL> ]
                                [ 'SIGNER' ':' <SignerNames> ]

  If the <TypedCodeMethod> is 'CLASS', then the code for the
  attribute must be a Java class binary with name
  <JavaClassName>.  If <JavaClassName> is omitted, then the
  'INPUTID' is used as the <JavaClassName>.

  This Java class binary must be of one of the following types:

  - extends the 'java.security.Permission' abstract class,
  - is a 'java.security.CodeSource' object,
  - is a 'java.security.ProtectionDomain' object,
  - is a 'java.security.Principal' object,
  - implements the 'java.security.Principal' interface, or
  - implements a new 'java.security.PolicyAttribute' interface
    (see Appendix \ref{java.security.PolicyAttribute Interface}).

  If a <URL> is supplied, then the class or a Java jar file
  containing the class is expected to be located at the URL.  If
  no <URL> is specified, then the default is the classpath used
  by the PDP.

  If 'SIGNER' is specified, then the class or the entire jar file
  must be signed by all the public key(s) associated with
  <SignerNames> in the PKI.  If no 'SIGNER' is specified, then
  signature checking will not be done: the class or jar file may
  be signed by any signer or may be unsigned.  Note that all jar
  files and class binaries in the <URL> should be signed unless
  they are accessed via a secure channel.

<JavaClassName> ::=

  A <JavaClassName> is a fully qualified Java class name, such as

<SignerNames> ::= <SignerName> |
                  <SignerName> ',' <SignerNames>

<SignerName> ::= <TypedName> | <LocalCertName>

  A <SignerName> is the name associated in the PKI with the
  private key used to create a cryptographic signature.  In order
  to verify the signature, a certificate having <SignerName> as
  its Subject is located in the PKI and the public key from this
  certificate is used.  If the <LocalCertName> form is used, then
  the code is expected to be signed by the certificate defined by
  the <LocalCertName>.

<ADAName> ::= <TypedName> | <LocalCertName>

  An <ADAName> is the name of an Attribute Definition Authority
  trusted to sign an Attribute Definition Certificate defining
  the associated attribute.  The definition of an attribute
  includes its ASN.1 syntax, identifiers for its Matching
  Rule(s), and possibly pointers to executable code for
  constructing instances of the attribute and its matching rule.

<PKIDefinition> ::= 'DEFINE' 'PKI' <LocalCertNames>
                    'CS' ':' <CertStores>
                    [ <ValidationParameters> ]

  A <PKIDefinition> defines the parameters required to map names
  to public keys using a Public Key Infrastructure.  Each Trust
  Anchor is expressed using its <LocalCertName> as defined in a
  <CertDefinition> statement.

  Associated with the set of Trust Anchors is a set of
  certificate stores, and a set of optional
  <ValidationParameters>.  A certificate for each Trust Anchor
  must be located in the certificate stores and verified using
  the certificate fingerprint specified in the
  <CertDefinition> statement that defines that Trust
  Anchor.  There can be at most one <PKIDefinition> statement in
  a single policy.  The scope of the <PKIDefinition> is the
  <BooleanPolicy> in which it occurs.  It applies to any
  <ReferencedBooleanPolicy> that does not have its own

  If the Trust Anchor certificate found in the specified
  <CertStores> contains a Subject Information Access extension
  with an access method of "id-ad-caRepository", then
  certificates and CRLs issued by that Trust Anchor may be
  located either in the location specified in the Subject
  Information Access extension or in the specified <CertStores>.
  Otherwise, certificates and CRLs may be obtained from the
  specified <CertStores> or using other mechanisms, such as the
  Subject Information Access extension, the CRL Distribution
  Points extension, etc.

  If no <PKIDefinition> statement is present in a policy, then
  the <PKIDefinition> used for its enclosing <BooleanPolicy> will
  apply.  If there is no enclosing <BooleanPolicy>, then the PDP
  will use its configured default PKI definition.

<LocalCertNames> ::= <LocalCertName> |
                     <LocalCertName> ',' <LocalCertNames>

<LocalCertName> ::= <LocalName>

  A <LocalCertName> is a mnemonic name defined in a
  <CertDefinition> statement.  The scope of the <LocalCertName>
  is the immediate <BooleanPolicy>.

<CertStores> ::= <CertStore> |
                 <CertStore> ',' <CertStores>

<CertStore> ::= <CertStoreType> ':' <CertStoreURL>

  A <CertStore> is a repository for one or more certificates.
  The <CertStoreType> indicates the type of the repository and
  the URL points to the repository.

<CertStoreType> ::= 'LDAP' | 'KEYSTORE'

  If the type is 'LDAP', then the <CertStoreURL> must be an
  "ldap:" URL.  If the type is 'KEYSTORE', then the
  <CertStoreURL> must be a locator that will retrieve a Java
  Keystore file.

<CertStoreURL> ::= <URL>

  A <CertStoreURL> is the Uniform Resource Locator for a
  certificate store.

<ValidationParameters> ::= <ValidationParameter> |
                           <ValidationParameter> ','

<ValidationParameter> ::= 'POLICIES' ':' <OIDs> |
                          'INHIBITANYPOLICY' |
                          'REQUIREEXPLICITPOLICY' |
                          'INHIBITPOLICYMAPPING' |

  <ValidationParameters> provide controls over the way chains of
  Public Key Identity Certificates are verified.  Each
  <ValidationParameter> has a default value as follows:

     POLICIES: default is none.
     INHIBITANYPOLICY: default is not inhibited.
     REQUIREEXPLICITPOLICY: default is not required.
     INHIBITPOLICYMAPPING: default is not inhibited.
     NOREVOCATION: default is revocation checked.

  In addition, the date for which the certificate validation is
  performed is always the current time and date on the evaluating
  platform.  PolicyQualifiers are always rejected.  For more
  explanation, see the corresponding methods in

<CertDefinition> ::= 'DEFINE' 'CERT' <LocalCertName>

  A <CertDefinition> statement associates a mnemonic
  <LocalCertName> with a trusted certificate.  The trusted
  certificate is specified using a <CertSelector>.

  The <LocalCertName> defined in a <CertDefinition> statement can
  be used in a <PKIDefinition> statement, <AAName>, <ADAName>,
  or <SignerName>.

<CertSelector> ::= ( 'SUBJECT' ':' <SubjectName>
                     'FINGERPRINT' ':' <FingerPrint> ) |
                   ( 'KEYSTOREURL' ':' <URL>
                     [ 'ALIAS' ':' <KeyStoreAlias> ]
                     [ 'FINGERPRINT' ':' <FingerPrint> ] )

  If <CertSelector> is the 'SUBJECT' form, then the trusted
  certificate in the <CertDefinition> is the certificate with
  Subject of <SubjectName> and certificate fingerprint of
  <FingerPrint>.  The certificate must be located in the PKI
  specified in the 'define PKI' statement.

  If <CertSelector> is the 'KEYSTOREURL' form, then the trusted
  certificate in the <CertDefinition> is the certificate in the
  indicated Java KeyStore file with the indicated
  <KeyStoreAlias>.  If no ALIAS is supplied, then the alias
  defaults to the <LocalCertName>.  If the 'FINGERPRINT' option
  is used, then the certificate's fingerprint must match the
  value of <FingerPrint>.  Note that, while 'FINGERPRINT' is
  optional for a KeyStore certificate, it is strongly
  recommended, particularly where the 'KEYSTOREURL' is not
  accessed over a secure, authenticated channel.  If
  'FINGERPRINT' is not included, there is no guarantee that the
  certificate and public key selected are correct.

<SubjectName> ::= <TypedName>

  The <SubjectName> is the typed name used as the Subject of a
  public key certificate.

<FingerPrint> ::= <Hex-EncodedValue>

  A <FingerPrint> is a 128-bit MD5 hash of a public key

<KeyStoreAlias> ::= <String>

  A <KeyStoreAlias> is the mnemonic name by which a certificate
  in a Java KeyStore is located.  Case is not significant in a

<PolicyDefinition> ::= 'DEFINE' 'POLICY' <LocalPolicyName> 
                       'ID' ':' <PolicyName>
                       'AA' ':' <AAName>

  A <PolicyDefinition> is a way of referencing one policy from
  inside of another.  The referenced policy will be expressed as
  a value for the "IssuerPolicy" attribute in an X.509 Attribute
  Certificate (see Appendix \ref{IssuerPolicy Attribute Syntax}).
  The attribute value must have a policyName field with a name
  matching the <PolicyName> specified.

  The X.509 Attribute Certificate is located in the PKI using
  <AAName> as the SOA.  If the Attribute Certificate has expired
  or been revoked since it was last downloaded, then a fresh copy
  is downloaded.  The Attribute Certificate containing the policy
  must validate using the indicated AA name as the SOA.

<LocalPolicyName> ::= <LocalName>

  This is the <LocalName> by which this policy will be referenced
  in a <ReferencedBooleanPolicy> statement.

<PolicyName> ::= <String>

  Each policy in an IssuerPolicy attribute has a name indicating
  what the policy is used for.  This name might be "SunTEA
  approval policy" or "Anne's file use policy".


  [Actual text and schema changes or additions, referencing line
   numbers in the XACML 1.1 PDF Specification, required to
   express this solution in the 2.0 specification.

   This may be in the form of edits to the source XACML 1.1
   Specification, attached to the e-mail containing the

   Don't bother with this until the SUMMARY indicates there are
   no issues that remain to be resolved, and there is consensus
   on one PROPOSED SOLUTION above.]

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]