Re: [xacml] Re: Call for Obligations

[Anne Anderson <Anne.Anderson@sun.com>]

The semantics of a particular Obligation are completely between the 
Policy Administration Point and the PEP.  The PAP could define a 
particular Obligation "TryToLog" as meaning: "Make a best effort to log, 
but it is not an error if unable to do so".

Anne

Anil Saldhana wrote:

> I understand that obligation means obligation. :)
> 
> Anil Saldhana wrote:
> 
>> My use cases in mind are the following(please correct me wherever my 
>> understanding is wrong):
>> a) Legitimate authorization request arrives at the PEP. PEP invokes 
>> the PDP. PDP comes back with 'PERMIT' and a set of obligations. PEP is 
>> unable to fulfill 1 or more obligations. PEP issues an error. What 
>> happened to the legitimate request?
>> b) PDP issues a 'PERMIT' with a logging obligation. PEP does not want 
>> to log because performance considerations have been put forward and 
>> logging is low priority for the PEP. PEP issues an error.
>>
>> These are the use cases that I feel that obligations can have an 
>> optional tag such that PEP can be spec compliant in ignoring them.
>>
>> sampo@symlabs.com wrote:
>>
>>> Anil Saldhana writes:
>>>
>>>> Has there been any work on obligations since xacml v2.0?
>>>> Some use cases:
>>>> Some of the things that pop up in mind with reference to obligations 
>>>> are:
>>>> a) Auditing. (Common use case).
>>>> b) Deny further requests on a particular subject if the number of 
>>>> unsuccessful authorization requests > n times. (More of a DOS use 
>>>> case). - Blacklist a subject.
>>>> Priority among ObligationCategoryMembers:
>>>> http://wiki.oasis-open.org/xacml/DiscussionOnObligations
>>>> In the case of "encrypt" category, what if the PEP is unable to 
>>>> encrypt using "3DES" but can do "blowfish"?  I think there is scope 
>>>> for levels of priority here with reference to obligation categories 
>>>> for the various members.
>>>> Optional Obligations:
>>>
>>>
>>> How is an Obligation an obligation if it is optional?
>>> Perhaps better wording would be qualified or alternate obligations,
>>> e.g. either you MUST log or you MUST validate a digital
>>> signature (which MUST be present and valid).
>>> Cheers,
>>> --Sampo
>>>
>>>> I am also wondering if there is scope to specify whether a 
>>>> particular obligation is required or optional.  The reason is if a 
>>>> particular PEP is not able to perform a particular obligation, then 
>>>> it is non-reasonable to deny a particular access. A policy writer 
>>>> should be able to specify obligations that are mandatory and some 
>>>> that are optional(eg: logging for performance purposes).
>>>
>>> __________________________________________________________________
>>> Sym  | Sampo Kellomaki  ______| Identity Architect, Federated SSO
>>> ____ | +351-918.731.007 ______| Liberty ID-WSF DirectoryScript
>>> labs | skype: sampo.kellomaki | LDAP SOAP PlainDoc Crypto C Perl
>>
>>
> 

-- 
Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA