OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Any kind of policies in a request

   I have a hard time really agreeing to your proposal of interlinking 
requests and xacml policies.

The XACML policy aspect has to be out of band wrt the request-response 


On 11/23/2009 06:12 AM, Erik Rissanen wrote:
> David,
> I have been thinking more about this.
> I think that an extension point to plug in any kind of policy format 
> does not belong in the XACML core schema, and thus not in the 
> <Request>. The XACML schema is for defining the XACML language, and we 
> would lose some of the benefits of standardization by allowing any 
> content in it.
> However, SAML defined in the past a protocol for AuthZ query/response. 
> It is my understanding, and please correct me if I am wrong, that 
> there was an agreement between the SAML and XACML TCs that the XACML 
> request schema would supersede the SAML AuthZ formats, and SAML 
> dropped their own. The original SAML protocol was ambiguous regarding 
> the policy language.
> If we think of the XACML SAML profile to carry the legacy of the 
> original SAML AuthZ protocol, than I guess it would make sense to 
> support other policy languages since the original protocol was not 
> XACML specific.
> What do the rest of the TC see as the scope of the XACML SAML profile? 
> Is it just about supporting XACML, or does it have a wider scope?
> Best regards,
> Erik
> David Chadwick wrote:
>> Subsequent to the minutes
>> Rich.Levinson wrote:
>>> Proposed schema change for policies and discussion from
>>>  David Chadwick and response from Erik:
>>>   http://lists.oasis-open.org/archives/xacml/200911/msg00023.html
>>>    Erik: David proposed req ctx schema for ext pts xml any, where
>>>     can put proprietary policy lang things; doesn't make sense
>>>     to std on any policies in fmt; suggest using saml/xacml
>>>     mechanism
>>>    Rich: sees it as potentially disruptive, effectively allowing
>>>     elements as children of PolicySet
>>>    Bill: proprietary elements don't make sense; need further info
>>>     to be considered;
>>>     defer topic until more info from David addressing concerns
>>>      in email and minutes
>> It makes sense because we cannot assume that every PDP talks the 
>> XACML policy language. However, it is possible to make every PDP talk 
>> the XACML request/response context. Once we have sticky policies and 
>> obligations which we pass around a distributed system we need to be 
>> able to cater for multiple policy languages. If you see my 
>> presentation at W3C yesterday at
>> http://www.w3.org/2009/policy-ws/slides/Chadwick.pdf
>> and look at slide 5 from 11, you will see why we need to relax the 
>> schema requirements on the policy element in the SAML-XACML profile, 
>> otherwise we have no standard way of passing a sticky policy to an 
>> AIPEP or Master PDP.
>> regards
>> David 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]