OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] FW: some little questions


Perhaps I gave the wrong impression about protecting a policy repository.
 
During the discussons which led to XACML 3.0 it was pointed out that with XACML 2.0 (or any version really) you can protect operations such as CRUD on a repository. However this approach would not let you control the scope of capabilities of a person editing policies.
 
I suppose we could have consider using XPATH functions to introspect policy contents, but I think the result would have made it very hard to understand the intent of administrative policies.
 
For whatever reasons this approach was not seriously considered and instead we chose the scheme you see in the Admin Profile.
 
Influenced by the requirement to be allowed to provide policies along with the request, we formulated Reduction as a policy decision time process instead of an administration time process. Since the current scheme allows access policies and their enabling administrative polices to reference distinct attributes, there is no good way to determine if an access policy is in force, except in the context of a particular decision.
 
Hal
-----Original Message-----
From: Harold Lockhart
Sent: Thursday, July 16, 2009 10:20 AM
To: xacml@lists.oasis-open.org
Subject: [xacml] FW: some little questions

 
-----Original Message-----
From: Jan Herrmann [mailto:herrmanj@in.tum.de]
Sent: Thursday, July 16, 2009 8:43 AM
To: Harold Lockhart
Subject: some little questions

Hello Hal,

I modified the slides from the Boston meeting a little bit to focus the things that might be of interest for your group.

Now I am wondering how you usually do presentations during your telecons. Are you using google docs or special tools like team viewer?

Another question: In Boston you mentioned that a couple of years ago the XACML TC discussed how to administrate XACML policies. You mentioned that using XACML itself to do control access to a PAP Web Service was rejected and instead the mechanism described in the new delegation profile was preferred. Are their any internal documents talking about the reasoning behind this decision?

Talk to you later.

greets

jan

 

________________________________________

Jan Herrmann
Dipl.-Inform., Dipl.-Geogr. 

wissenschaftlicher Mitarbeiter

Technische Universität München
Institut für Informatik

Lehrstuhl für Angewandte Informatik / Kooperative Systeme

Boltzmannstr. 3
85748 Garching

Tel:      +49 (0)89 289-18692
Fax:     +49 (0)89 289-18657
www11.informatik.tu-muenchen.de
________________________________________

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]