From: Anthony Nadalin
[mailto:drsecure@us.ibm.com]
Sent: Tuesday, March 06, 2007
10:28 PM
To: Hal Lockhart
Cc: Prateek Mishra;
xacml@lists.oasis-open.org
Subject: RE: [xacml] New Topic:
Policy Provisioning
I think that there are a number of issues:
1) Very large feature set, a number of capabilities in the core set belong to
web services development tools rather than provisioning, including schema and
capability discovery. This places a burden on implementing SPML 2. This poses
problems for vendors trying to implement SPML introducing the need to hand
craft SPML implementations and for IT organizations in hand crafting client
applications (requesting authorities) for those SPML providers rather than
being able to generate code from WSDL.
2) Insufficient description of integration with security. There is no
description of communication of the identity of the user submitting the request
(identity of the RA), which may be necessary for authentication, authorization,
and auditing. T
3) Insufficient feature set for enterprises wanting to develop simple self
service user interfaces with web services.
WS-MEX/Transfer may be one approach. One of the key problems that it addresses
is the need for out-of-band information that SPML does, which is related to the
first point above.
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Hal Lockhart" <hlockhar@bea.com>
"Hal
Lockhart" <hlockhar@bea.com>
03/06/2007 09:50 AM
|
To
|
Anthony
Nadalin/Austin/IBM@IBMUS, "Prateek Mishra"
<prateek.mishra@oracle.com>
|
cc
|
<xacml@lists.oasis-open.org>
|
Subject
|
RE: [xacml] New
Topic: Policy Provisioning
|
|
I don’t see any technical reason why SPML is inappropriate. Policy
provisioning has been discussed by the Provisioning TC as a usecase. In
addition, there are specific features of SPML, such as operators, batching,
etc. which we would have to reinvent if we do not use SPML. Do you see a
specific technical problem or have an alternative starting point in mind?
Hal
From: Anthony Nadalin [mailto:drsecure@us.ibm.com]
Sent: Tuesday, March 06, 2007 10:27 AM
To: Prateek Mishra
Cc: Hal Lockhart; xacml@lists.oasis-open.org
Subject: Re: [xacml] New Topic: Policy Provisioning
Is SPML
the proper protocol for policy lifecycle mechanisms? Seems like a bit of a
stretch
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Prateek Mishra
<prateek.mishra@oracle.com>
Prateek
Mishra <prateek.mishra@oracle.com>
03/06/2007 08:56 AM
|
To
|
xacml@lists.oasis-open.org
|
cc
|
Hal Lockhart <hlockhar@bea.com>
|
Subject
|
Re: [xacml] New Topic: Policy Provisioning
|
|
Hal,
Your proposed approach is of interest to us.
I will obtain additional feedback on this issue and post the use-cases
of interest to us.
- prateek
> I have taken a further look at SPML and suggest the following might be a
> reasonable approach. Base the implementation on the SPML v2 - XSD
> Profile. Use Policy ID as the PSO Identifier. Using SPML defined
> operations the PAP can inquire of a PDP what policies it currently has.
> Using SPML the PAP can add, modify and delete policies as required.
> Using the SPML Batch capability, the PAP can insure that a set of
> updates is applied as a unit, thus avoiding the problem of the PDP
> making decisions on some inconsistent, interim set of policies. SPML
> also provides other potentially useful features such as error codes,
> asynchronous operations and capability queries.
>
> The main thing that this proposal requires is people who are willing to
> contribute to the work and edit the document.
>
> Hal
>
>