Re: [xacml] New issue: new attribute ids for xml multiple decisions

[Erik Rissanen <erik@axiomatics.com>]

Paul,

I think this is an excellent proposal.

There is one more serious issue with the old/current approach. If a PDP 
does not implement the multiple decision/request profile, the "raw" 
initial request would be processed against the policies without any 
warning, leading to potential security issues. Thus the old way of doing 
it is bad for security as well since it fails unsafely.

Best regards,
Erik




Tyson, Paul H wrote:
> The cd-1 Multiple profile, lines 109-111, specifies that the resource-id
> attribute in a multiple decision request shall be replaced with a
> (possibly) different value when creating individual requests.  The new
> value is the one that would be returned (if IncludeInResult=true) in the
> result.
>
> There are a couple of problems with this.  First, it breaks an implicit
> contract that prohibits the context handler from changing attribute
> values (it can provide more values, but should never change or remove
> values from the original request context).  Second, it overloads
> resource-id with a new meaning that is different from its initial
> purpose as a primary identifier of a resource.  When used in a multiple
> decision request for XML content, resource-id now means something like
> "resource selector" in the Request, but reverts to its former meaning as
> "primary identifier" in the Response.
>
> I propose that the resource-id attribute should only be used as a
> persistent primary identifier for a singleton resource, and that two new
> attributes be defined: one for requesting decisions on multiple nodes of
> XML content, and another for identifying those nodes in a XACML
> response.  The proposed AttributeIds are:
>
> urn:oasis:names:tc:xacml:3.0:profile:multiple:xml:resource-selector
> urn:oasis:names:tc:xacml:3.0:profile:multiple:xml:authorized-resource-id
>
> Sections 2.2.2 and 2.2.3 of the Multiple profile should be rewritten as
> follows:
>
> =====================
> 2.2.2 Original request context
>
> The original XACML request context <Attributes> element in the resource
> category SHALL contain a <Content> element and an attribute with and
> AttributeId of
> "urn:oasis:names:tc:xacml:3.0:profile:multiple:resource-selector" and a
> DataType of "urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression",
> such that the <AttributeValue> of the "resource-selector" attribute is
> an XPath expression that evaluates to a nodeset that represents multiple
> nodes in the resource category <Content> element. The <Attributes>
> element with the resource category SHALL contain a "scope" attribute
> with a value of "XPath-expression".
>
> 2.2.3 Semantics
>
> Such a request context SHALL be interpreted as a request for
> authorization decisions on multiple nodes in the nodeset represented by
> the <AttributeValue> of the "resource-selector" attribute. Each such
> node SHALL represent an Individual Resource.
>
> Each Individual Decision Request SHALL be identical to the original
> request context with two exceptions: the "scope" attribute SHALL NOT be
> present and an additional attribute with AttributeId of
> "urn:oasis:names:tc:xacml:3.0:profile:multiple:authorized-resource-id"
> SHALL be present.  The DataType of this attribute shall be
> "urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression", and the value
> SHALL be an XPath expression that evaluates to a single node in the
> <Content> element. The IncludeInResult XML attribute SHALL be "true".
> The content XML node selected by this Attribute SHALL be the Individual
> Resource. If the "resource-selector" attribute in the original request
> context contained an Issuer, the "authorized-resource-id" attribute in
> the Individual Resource Request SHALL contain the same Issuer.
> ==============================
>
> See these emails for previous comments on this issue:
>
> http://lists.oasis-open.org/archives/xacml/200910/msg00036.html
> http://lists.oasis-open.org/archives/xacml/200910/msg00052.html
> http://lists.oasis-open.org/archives/xacml/200911/msg00025.html
>
> Regards,
> --Paul
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>
>