OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Policy administration topics

We now have multiple work items that seem very related:

29. Policy Authority Delegation
31. Attribute Issuer as Subject
38. Policies for the Administration of XACML Policies

Do we really have one work item here:

  How does the PDP know if issuer I is trusted to issue policies
  about a particular combination of subjects, resources, and

Use Model: I believe everyone agrees on the use model:

  The PDP's policy-retriever component tests whether to trust a
  given candidate policy by sending an XACML request describing
  the candidate policy to a Policy Administration PDP that is
  configured with policies describing which candidate policies to

Proposal S: (Simon)

  I believe Simon's proposal is a pull model, where the PDP pulls
  policies as required from repositories or issuers:

  When the PDP's policy-retriever component tests whether to
  trust a given candidate policy, it constructs a Request that

  o Subject: the Issuer of the candidate policy (take the
    Issuer from the signature on the SAML Assertion encapsulating
    the candidate policy),
  o Resource: the actual <Target> element of the candidate policy as
    the value of a new Resource Attribute "policy-target",
  o Action: "issue policy"

  Define a new FunctionId that does an exact byte-for-byte match
  between normalized values for <Target> elements, and use this
  in writing policies describing which issuer Subjects can "issue
  policy" for given Targets.

  Issue: the model for how the set of applicable policies used by
  a PDP is constructed is not entirely clear.  Some possible

  1. The PDP is configured with a base PolicySet, and is just
     validating the components of its subtree as it retrieves
     them while doing evaluations.
  2. The PDP at any one time has a bag of candidate policies.  It
     periodically evaluates which ones to trust using the
     procedure above.  Out of the trusted policies, it then
     constructs the PolicySet and its subtree by matching up
     PolicyId#'s and PolicySetId#'s (these are assumed to fit
     together in some consistent way).
  3. The PDP at any one time has a bag of candidate policies.  It
     periodically evaluates which ones to trust as in #2.  The
     PDP is configured with a base PolicySet that has a specified combining
     algorithm.   Prior to evaluating Requests, all validated
     Policies and PolicySets are plugged into the base PolicySet
     as top-level components.

Proposal A: (Anne)

  This is a push model: Policy issuers push policies to a new
  Policy Administration API in the PDP, along with the Id of the
  Policy or PolicySet that the new pushed policy affects.

  Each PDP is configured with an initial Access Control PolicySet
  and an initial Policy Administration PolicySet.  The PDP
  validates each pushed policy by sending it in an XACML Request
  that is evaluated according to the current Policy
  Administration PolicySet.  If the pushed policy is validated,
  then the policy-administration component of the PDP makes the
  appropriate changes to the indicated Access Control PolicySet
  or Policy Administration PolicySet and their sub-policies.  Its
  two trusted trees of policies are stored in a secure cache.

  When validating a pushed policy, the Request from the
  policy-administration component includes:

  o Subject: the Issuer of the pushed policy (take the issuer
    from the signature on the SAML Assertion encapsulating
    the pushed policy).
  o Resource:
    - resource-id Attribute contains the PolicyId or PolicySetId
      of the Policy or PolicySet affected by this request
    - ResourceContent contains the pushed policy [not needed with
      delete-policy action]
  o Action: Possible actions are:
    - create-sub-policy under PolicyId x [in slot# y]
    - delete-policy id=x
    - replace-policy id=x
    - replace-policy-target id=x
    - replace-policy-combining-alg id=x

  Policies can express conditions on candidate policies by using
  XPath expressions to extract components of the candidate policy
  from the ResourceContent and place conditions on them using
  standard XACML functions.  A simple form of Condition could use
  the target-match function defined in Simon's proposal, so the
  degenerate form of this proposal is quite similar to Proposal

  Sample policy used by Policy Administration PDP: "issuers A and
  B can create sub-policies under PolicyId 3 so long as the
  sub-policy Target Resource is "abc".

  <PolicySet PolicySetId="1" CombiningAlgId="deny-overrides">
    <Policy PolicyId="2" CombiningAlgId="deny-overrides">
          <Subject>issuer A</Subject>
          <Subject>issuer B</Subject>
          <Resource>PolicyId 3</Resource>
          Resource/ResourceContent/Policy/Target/Resource/resource-id = "abc"
Proposal F: (Frank)

  I believe Frank proposes including the Issuer of a policy as a
  new classification, alongside the existing Subject, Resource,
  and Action.  When a PDP is trying to decide whether to trust a
  given policy, it will evaluate the policies that are applicable
  to that "Issuer".

  If I understand Frank's proposal correctly, I think it is the
  same as Proposal S or Proposal A.

Proposal P: (Polar)

  I did not actually see Polar work out his proposal, so I don't
  know how it differs from S, A, or F.

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]