Re: [xacml] Any kind of policies in a request

[David Chadwick <d.w.chadwick@kent.ac.uk>]

Hi Hal

Harold Lockhart wrote:
> Read what I wrote again. I said I assumed that the "any" would be
> added to the decision request, not to policies.

our original proposal was to add any to policies, and this is what the 
group did not like.

  You seem to have
> interpreted what I said backwards. I would be strongly opposed to
> changing the schema of XACML policies for this purpose. I think it is
> reasonable to change the decision request.

this is why we then moved any to the SAML-XACML request.

But having any in the decision request is equally OK for me. We just 
need an extension point somewhere that we can hang things in.

regards

David


> 
> To answer your questions.
> 
> In 2.0 the decision request was invented to enable access to a remote
> XACML PDP. Full Stop.
> 
> However, it turned out to be good for supporting other remote PDPs.
> This is goodness as long as it doesn't interfere with its primary
> purpose.
> 
> In 3.0 because admin/delegation enables policies which are not
> trusted implicitly, we added the ability to provide policies in a
> decision request (wire protocol only) so that policies in effect for
> "this request only" could be supported.
> 
> It seems reasonable based on the above to add to the SAML/XACML
> decision request protocol the ability to include other stuff
> (including policies) which might be useful to non XACML PDPs as long
> as it doesn't interfere with use by XACML.
> 
> Given this, I support adding an any to the decision request along
> with wording that says you must understand it.
> 
> Hal
> 
> -----Original Message----- From: David Chadwick
> [mailto:d.w.chadwick@kent.ac.uk] Sent: Monday, December 07, 2009 7:09
> PM To: Harold Lockhart Cc: Erik Rissanen; Rich Levinson; xacml 
> Subject: Re: [xacml] Any kind of policies in a request
> 
> 
> Hi Hal
> 
> Yes indeed this was my original proposal, but the group seemed to
> have some resistance to this encoding, so it was switched to putting
> it into the SAML-XACML request message.
> 
> When deciding about topics such as this, I think it is best to first
>  agree on the concept, and only then to agree about the actual syntax
> to be used since several different syntaxes can be used to carry the
> same conceptual entity.
> 
> I am not sure how many people in the XACML group have agreed to the 
> concept and therefore will disagree with any syntax changes that are
>  proposed, and how many have agreed to the concept but not to the
> syntax.
> 
> I would therefore like to see if we can first get a broad consensus
> on the concept and only then decide which syntax is the most
> appropriate one to carry new policies to PDP.
> 
> So the I should like to ask the group if there is broad consensus
> that a PEP should be able to dynamically send a policy to its PDP
> along with an authz decision request, and if anyone disagrees to say
> why they disagree.
> 
> In a previous message I asked Anil 4 questions about this issue, but
> now I would like to open this up to the whole group to ask if
> everyone could answer these 4 questions privately, and if anyone
> answers No to any of them to give their rationale to the group. We
> can then debate the concept and resolve this issue first before
> proceeding to any syntax encoding details.
> 
> i) there should be a general mechanism for querying any remote PDP
> for an authz response Y/N
> 
> ii) there is a need to dynamically push a policy to a remote PDP
> along with an authz decision request Y/N
> 
> iii) the v2 XACML request/response context can be used as a general 
> purpose mechanism for making an authz query to any ABAC PDP Y/N
> 
> iv) the SAMLv2 profile of XACML can be used as a general purpose 
> mechanism for pushing a policy to a remote PDP along with making an 
> authz query Y/N
> 
> regards
> 
> David
> 
> Harold Lockhart wrote:
>> David,
>> 
>> When we discussed this in Luxembourg, I assumed you intended to add
>>  an ANY to the decision request in the SAML Profile, not to the 
>> definition of XACML policies.
>> 
>> I was struck how both you and Prateek have said to me, the wire 
>> protocol decision request is the most important part of XACML
>> because it allows a PDP of any kind to be called. It seems to me
>> logically this is the place where additional information, such as
>> more policies might be needed by a non-XACML PDP.
>> 
>> My main concern is to make it clear that what ever is used here 
>> should be profiled and a PDP receiving a request with contents it 
>> does not understand MUST return Indeterminate with some appropriate
>>  error code.
>> 
>> Hal
>> 
>> -----Original Message----- From: Erik Rissanen 
>> [mailto:erik@axiomatics.com] Sent: Monday, November 23, 2009 7:12
>> AM To: David Chadwick Cc: Rich Levinson; xacml Subject: [xacml] Any
>> kind of policies in a request
>> 
>> 
>> David,
>> 
>> I have been thinking more about this.
>> 
>> I think that an extension point to plug in any kind of policy
>> format does not belong in the XACML core schema, and thus not in
>> the <Request>. The XACML schema is for defining the XACML language,
>> and we would lose some of the benefits of standardization by
>> allowing any content in it.
>> 
>> However, SAML defined in the past a protocol for AuthZ 
>> query/response. It is my understanding, and please correct me if I
>> am wrong, that there was an agreement between the SAML and XACML
>> TCs that the XACML request schema would supersede the SAML AuthZ
>> formats, and SAML dropped their own. The original SAML protocol was
>> ambiguous regarding the policy language.
>> 
>> If we think of the XACML SAML profile to carry the legacy of the 
>> original SAML AuthZ protocol, than I guess it would make sense to 
>> support other policy languages since the original protocol was not 
>> XACML specific.
>> 
>> What do the rest of the TC see as the scope of the XACML SAML 
>> profile? Is it just about supporting XACML, or does it have a wider
>>  scope?
>> 
>> Best regards, Erik
>> 
>> David Chadwick wrote:
>>> Subsequent to the minutes
>>> 
>>> Rich.Levinson wrote:
>>> 
>>>> Proposed schema change for policies and discussion from David 
>>>> Chadwick and response from Erik: 
>>>> http://lists.oasis-open.org/archives/xacml/200911/msg00023.html
>>>> 
>>>> 
>>>> Erik: David proposed req ctx schema for ext pts xml any, where
>>>>  can put proprietary policy lang things; doesn't make sense to
>>>> std on any policies in fmt; suggest using saml/xacml mechanism
>>>> Rich: sees it as potentially disruptive, effectively allowing
>>>> elements as children of PolicySet Bill: proprietary elements
>>>> don't make sense; need further info to be considered;
>>>> 
>>>> defer topic until more info from David addressing concerns in 
>>>> email and minutes
>>>> 
>>> It makes sense because we cannot assume that every PDP talks the 
>>> XACML policy language. However, it is possible to make every PDP 
>>> talk the XACML request/response context. Once we have sticky 
>>> policies and obligations which we pass around a distributed
>>> system we need to be able to cater for multiple policy languages.
>>> If you see my presentation at W3C yesterday at
>>> 
>>> http://www.w3.org/2009/policy-ws/slides/Chadwick.pdf
>>> 
>>> and look at slide 5 from 11, you will see why we need to relax
>>> the schema requirements on the policy element in the SAML-XACML 
>>> profile, otherwise we have no standard way of passing a sticky 
>>> policy to an AIPEP or Master PDP.
>>> 
>>> regards
>>> 
>>> David
>>> 
> 
> 
> 
> ***************************************************************** 
> David W. Chadwick, BSc PhD Professor of Information Systems Security 
> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF 
> Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811
>  Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page:
> http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web
> site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust
> key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5
> 
> *****************************************************************
> 

-- 
-------------------------------------------------------------
The Israeli group Breaking the Silence has just released a collection of
testimonies by Israeli soldiers that took part in the Gaza attack last
December and January. The testimonies expose significant gaps between
the official stances of the Israeli military and events on the ground.

See  http://www.shovrimshtika.org/news_item_e.asp?id=30

The Israeli government defies Obama, and continues its settlement expansion

Israel plans to allocate $250 million over the next two years for
settlements

http://www.palestinecampaign.org/index7b.asp?m_id=1&l1_id=4&l2_id=24&Content_ID=698

whilst simultaneously continuing to bulldoze Palestinian homes

http://salsa.democracyinaction.org/o/301/t/9462/campaign.jsp?campaign_KEY=27357

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************