OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [WSPL] Do attestations belong in policy?

I strongly object to the idea of including "attestations" within
the scope of a policy language.  "Attestations" are not
"policies".  A policy may be predicated on attestations, but does
not provide attestations.  For example, a policy makes statements
of the form

  "If you have an authenticated attestation from a trusted
   attestor that you have logged in using a smart card then 
   you are allowed to access operation Z of service Y".

A policy does not make statements of the form

  "The issuer of this policy attests that Subject X has logged in
   using a smart card".

"Attestations" are "assertions".  They are handled by SAML in the
XML standards world, and by X.509 Attribute Certificates in the
X500 world, as examples of two well accepted standards.

A policy language should have a way of referencing or describing
attestations (such as XACML's Request Context), but the policy
language does not supply the attestations that a policy
references and is not a way of making attestations.

Anne

------- start of forwarded message -------
From: Anthony Nadalin <drsecure@us.ibm.com>
To: <security-services@lists.oasis-open.org>
Subject: Re: [security-services] Groups - authentication-context.pdf uploaded
Date: Wed, 15 Oct 2003 21:09:32 -0500





John,

>I think there are subtle differences between authentication method,
authentication context, and what I will call authentication context
policy:

Basically you have the right direction, you may have missed the point that
the domain specific policies in WS-Policy can be attestations, thus policy
can attest to authentication method and form the authentication context.

Anthony Nadalin | work 512.436.9568 | cell 512.289.4122


To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.

------- end of forwarded message -------

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]