[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: A dynamic revocation model for XACML
All, Back when I worked as a researcher at the Swedish Institute of Computer Science, I and a colleague of mine, Ludwig Seitz, wrote a paper on a revocation model for XACML. The paper was intended for academic publication, but it was difficult to make a good presentation of the topic, since covering it fully would essentially mean to duplicate the delegation profile to explain the context of the work. We never got around to make it into a state where it could be published at an academic workshop. SICS has published the paper in their technical report series. It is called "T2008-10 Context Dependent Revocation in Delegated XACML" and it is available here: http://www.sics.se/libindex.html ftp://ftp.sics.se/pub/SICS-reports/Reports/SICS-T--2008-10--SE.pdf You should read the full paper to get all the details, but the quick summary is this: The paper presents a revocation model for the draft delegation profile in 3.0, where the model could be summarized as "You may revoke those policies which you could create yourself". The use case is that administrators may change positions, in which case each administrator should be able to handle those policies which are his duties, whether they were issued by him in person, or someone else. This is in contrast to the more typical revocation model, for instance in X.509 PKI, where the issuer of something is the authority of revocation. In the model we wanted the already existing administrative policies also to define the scope of rights to revoke policies in addition to the scope of rights to issue policies. It is our hope that this will be beneficial to XACML and the XACML community. Best regards, Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]