OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: A dynamic revocation model for XACML


Back when I worked as a researcher at the Swedish Institute of Computer 
Science, I and a colleague of mine, Ludwig Seitz, wrote a paper on a 
revocation model for XACML.

The paper was intended for academic publication, but it was difficult to 
make a good presentation of the topic, since covering it fully would 
essentially mean to duplicate the delegation profile to explain the 
context of the work. We never got around to make it into a state where 
it could be published at an academic workshop.

SICS has published the paper in their technical report series. It is called

"T2008-10 Context Dependent Revocation in Delegated XACML"

and it is available here:


You should read the full paper to get all the details, but the quick 
summary is this: The paper presents a revocation model for the draft 
delegation profile in 3.0, where the model could be summarized as "You 
may revoke those policies which you could create yourself". The use case 
is that administrators may change positions, in which case each 
administrator should be able to handle those policies which are his 
duties, whether they were issued by him in person, or someone else. This 
is in contrast to the more typical revocation model, for instance in 
X.509 PKI, where the issuer of something is the authority of revocation. 
In the model we wanted the already existing administrative policies also 
to define the scope of rights to revoke policies in addition to the 
scope of rights to issue policies.

It is our hope that this will be beneficial to XACML and the XACML 

Best regards,

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]