OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-dev] XACML X.509 support

I will try to answer from the standard prospective - I am sure that
people familiar with the particular implementation you work with will
fill in.

How the information gets into context handler and how its consistency is
insured -- transport layer security, digital signatures, -- is outside
of the scope for the XACML standard.   It is expected that a particular
implementation takes care of this - there are plenty of good tools to
choose from.  Environments where XACML can be used are too diverse. 

D;

-----Original Message-----
From: Mine Altunay [mailto:maltuna@ncsu.edu] 
Sent: Tuesday, February 22, 2005 11:22 AM
To: xacml@lists.oasis-open.org
Cc: sunxacml-discuss@lists.sourceforge.net; xacml-dev mailing list
Subject: [xacml-dev] XACML X.509 support

Hi all

How does a PDP verifies the validity/legitimacy of claimed attributes in
a
given request. For example, a subject attribute may claim that the user
is
a member of a developer group. Then, PDP would evaluate this information
and decides the appropriate access decision for the "developers".
However,
how does the PDP verify that the said subject does indeed a member of
the
claimed group? What I see from PDP and request examples is that a
request
does not carry such proofs such as Attribute credentials or identity
credentials.

However,lack of such a support makes the authz process very naive,
vulnerable against malicious users.

Additionally, I am working with an identity-based authz system that
relies
on x.509 credentials. Therefore, for my PDP it is important not only to
get an access decision, but also to verify that the subject does indeed
have a valid certificate (or ACs or whatever the policy calls). Right
now,
I am using the xacml X500NameAttribute, however, it does not really
prove
that this subject indeed has an issued certificate.(I am naively passing
the DN and hoping that the user is honest with it)

If you could point me ways to provide such a verification in my xacml
framework, I would be grateful.

Also, do you see this verification problem as out of the xacml scope or
is
there already support in existing xacml framework that perhaps I am
missing

PS: I also thought about external means to send the certificate after
the
authz process but it is costly and redundant.
Thank you all

-- 
Mine Altunay
PhD student,
Computer Engineering Dept, NC State Univ
Phone: (919) 395 2789
E-Mail:maltuna@ncsu.edu

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]