[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Call for Obligations
> Has there been any work on obligations since xacml v2.0? > The majority of work done on Obligations has been summarized on the wiki. > Some use cases: > Some of the things that pop up in mind with reference to > obligations are: > a) Auditing. (Common use case). > b) Deny further requests on a particular subject if the number of > unsuccessful authorization requests > n times. (More of a DOS use > case). - Blacklist a subject. Can you provide a bit more detail on these? A description of the possible Members for each of these and what each should do would be a nice start ;) > > Priority among ObligationCategoryMembers: > http://wiki.oasis-open.org/xacml/DiscussionOnObligations > In the case of "encrypt" category, what if the PEP is unable to > encrypt using "3DES" but can do "blowfish"? I think there is scope > for levels of priority here with reference to obligation categories > for the various members. > In the normative sense, the PDP makes it decision in ignorance of the capabilities of the PEP; likewise the PEP is unaware of the Obligations the PDP may consider. So, should a PDP render an Obligation of "3DES" but the PEP doesn't support it an Error condition would result on the PEP. It is theoretically possible for a PDP to return and entire Category in sequential order for processing by the PEP, but we have not considered such a case (as it would require PDP-like actions on the PEP). An interesting idea though. Perhaps we should work through the ramifications to see what we come up with... > Optional Obligations: > I am also wondering if there is scope to specify whether a > particular obligation is required or optional. The reason is if a > particular PEP is not able to perform a particular obligation, then > it is non-reasonable to deny a particular access. A policy writer > should be able to specify obligations that are mandatory and some > that are optional(eg: logging for performance purposes). > Hmmm... this seems like kind of a weird one: an Obligation that doesn't really obligate the PEP do anything. Guess I am going to have to pull out the "Show me the Use Case" card :o) since "logging for performance purposes" isn't clear to me. Can you elaborate? > Sorry if I have been way off-topic. This is good stuff. Lets explore it a bit and see where we end up. I think you have introduced some ideas that will make for interesting study! Please feel free to start capturing your ideas on the wiki. b
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]