OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Issues 63, 71 and 77

Yes, it makes sense. So, we should allow the cross product, and write a
security consideration to warn implementers about DoS.


Anne Anderson - Sun Microsystems wrote:
> Use cases come up where the requester has a group of subjects and a
> group of resources, and needs to find out which of those subjects can
> access which of those resources, or where there is a group of
> resources and a group of actions, and the requester needs to know
> which of those actions the subject can perform on which of those
> resources.  The requester can submit a separate Request for each
> combination, but it would save bandwidth to send a single Request that
> is expanded on the PDP side.
> This can come up in practice with the sorts of applications that
> present different menus to different user roles depending on the tasks
> they want to perform.  Assume the policies are updated between
> midnight and 1am every night, and no access is allowed during that
> time.  The application can be optimized to determine the allowed
> combinations at 1am every morning rather than on each individual user
> access.
> Implementations could place limits on the maximum number of
> combinations if necessary.  This limit could be included in the PDP
> metadata.
> Regards,
> Anne
> Erik Rissanen wrote:
>> Anne Anderson - Sun Microsystems wrote:
>>>> If there are two or more categories which are repeated, then it is an
>>>> error.
>>> Alternatively, we could say that the cross product of the combinations
>>> will be created, and each evaluated as a separate request.  Using
>>> simpler syntax just to illustrate:
>> Yes, I thought about this as well, but I couldn't think of any
>> meaningful use cases to it. My concern with the cross products is that
>> the amount of work and the size of the output increase exponentially,
>> meaning that it opens up a vulnerability for DoS attacks.
>> Regards,
>> Erik

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]