Re: [xacml] Any kind of policies in a request

[David Chadwick <d.w.chadwick@kent.ac.uk>]

Hi Erik

Erik Rissanen wrote:
> David,
> 
> I have been thinking more about this.
> 
> I think that an extension point to plug in any kind of policy format 
> does not belong in the XACML core schema, and thus not in the <Request>. 
> The XACML schema is for defining the XACML language, and we would lose 
> some of the benefits of standardization by allowing any content in it.

But you would allow the XACMLv3 request context to be leveraged by many 
more PDPs, which increases the scope of the standard. The most widely 
used feature of the XACML standard is its request response context. I 
know of lots of PDPs that support it that dont support the XACML policy 
language. In v2 there was no need to, but v3 unnecessarily introduces 
this constraint, which means that existing PDPs that use the standard v2 
XACML request context wont be able to use the standard v3 context to 
send policies to their PDPs. Which will lead to a split in the market 
rather than a unification.

> 
> However, SAML defined in the past a protocol for AuthZ query/response. 

clearly it is still a requirement to be able to query any type of PDP 
for an authz decision, and to be able to send a new policy dynamically.

> It is my understanding, and please correct me if I am wrong, that there 
> was an agreement between the SAML and XACML TCs that the XACML request 
> schema would supersede the SAML AuthZ formats, and SAML dropped their 
> own. The original SAML protocol was ambiguous regarding the policy 
> language.

I dont think it was ambiguous. I think it was silent.

> 
> If we think of the XACML SAML profile to carry the legacy of the 
> original SAML AuthZ protocol, than I guess it would make sense to 
> support other policy languages since the original protocol was not XACML 
> specific.

I obviously agree with this sentiment. Otherwise we would potentially 
end up with n SAML profiles, one for each different PDP policy language.


> 
> What do the rest of the TC see as the scope of the XACML SAML profile? 
> Is it just about supporting XACML, or does it have a wider scope?

If the decision is that it has the scope of XACML only, then another 
very similar profile will still be needed.

regards

David

> 
> Best regards,
> Erik
> 
> David Chadwick wrote:
>> Subsequent to the minutes
>>
>> Rich.Levinson wrote:
>>
>>>
>>> Proposed schema change for policies and discussion from
>>>  David Chadwick and response from Erik:
>>>   http://lists.oasis-open.org/archives/xacml/200911/msg00023.html
>>>
>>>    Erik: David proposed req ctx schema for ext pts xml any, where
>>>     can put proprietary policy lang things; doesn't make sense
>>>     to std on any policies in fmt; suggest using saml/xacml
>>>     mechanism
>>>    Rich: sees it as potentially disruptive, effectively allowing
>>>     elements as children of PolicySet
>>>    Bill: proprietary elements don't make sense; need further info
>>>     to be considered;
>>>
>>>     defer topic until more info from David addressing concerns
>>>      in email and minutes
>>>
>>
>> It makes sense because we cannot assume that every PDP talks the XACML 
>> policy language. However, it is possible to make every PDP talk the 
>> XACML request/response context. Once we have sticky policies and 
>> obligations which we pass around a distributed system we need to be 
>> able to cater for multiple policy languages. If you see my 
>> presentation at W3C yesterday at
>>
>> http://www.w3.org/2009/policy-ws/slides/Chadwick.pdf
>>
>> and look at slide 5 from 11, you will see why we need to relax the 
>> schema requirements on the policy element in the SAML-XACML profile, 
>> otherwise we have no standard way of passing a sticky policy to an 
>> AIPEP or Master PDP.
>>
>> regards
>>
>> David
>>
>>
>>
>>
>> *****************************************************************
>> David W. Chadwick, BSc PhD
>> Professor of Information Systems Security
>> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
>> Skype Name: davidwchadwick
>> Tel: +44 1227 82 3221
>> Fax +44 1227 762 811
>> Mobile: +44 77 96 44 7184
>> Email: D.W.Chadwick@kent.ac.uk
>> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
>> Research Web site: 
>> http://www.cs.kent.ac.uk/research/groups/iss/index.html
>> Entrust key validation string: MLJ9-DU5T-HV8J
>> PGP Key ID is 0xBC238DE5
>>
>> *****************************************************************
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 

-- 
-------------------------------------------------------------
The Israeli group Breaking the Silence has just released a collection of
testimonies by Israeli soldiers that took part in the Gaza attack last
December and January. The testimonies expose significant gaps between 
the official stances of the Israeli military and events on the ground.

See  http://www.shovrimshtika.org/news_item_e.asp?id=30

The Israeli government defies Obama, and continues its settlement expansion

Israel plans to allocate $250 million over the next two years for 
settlements

http://www.palestinecampaign.org/index7b.asp?m_id=1&l1_id=4&l2_id=24&Content_ID=698

whilst simultaneously continuing to bulldoze Palestinian homes

http://salsa.democracyinaction.org/o/301/t/9462/campaign.jsp?campaign_KEY=27357

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************