OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] Break the Glass policies

David, all --

In looking at access policies based on formal policy authorities (like
laws and frederal regulation) we've seen a number of cases where the
only practical source of a person or environmental "attribute" is
assertion by the requestor. The "BTG" attribute is an assertion that an
emergency situation exists. We also have come to the same conclusion
that you have (apparently), namely that ex-post enforcement (via audit
of access logs) is a sufficient basis for enforcement for many kinds of
policies. 

Another general class of self-assertion situations is where a law or
policy says "you can share information 'for the purpose of' something."
Example: passpost clerks can view personal passport records 'for the
purpose of' varifying information in the course of processing a passport
renewal application, (but not for other purposes, like browsing the
information of celebrities.)  In many of these scenarios one might
imagine a data source for the attribute that did not depend on
self-assertion, but those data may not be available at least in the
short run.

I have not considered implementation of this enforcement strategy
(self-assertion plus log audit) to be a standards issue, so much as a
tooling issue (does a PDP product support pop-up requests for
self-asserted information?)  But if making a BTG profile stimulates
vendors to add capability for collecting self-assertion data, I'm for
it!

Martin Smith
US Department of Homeland Security

   

-----Original Message-----
From: xacml-return-1875-martin.smith=dhs.gov@lists.oasis-open.org
[mailto:xacml-return-1875-martin.smith=dhs.gov@lists.oasis-open.org] On
Behalf Of Ludwig Seitz
Sent: Monday, December 14, 2009 2:52 AM
To: David Chadwick
Cc: xacml
Subject: Re: [xacml] Break the Glass policies

Hi David,

you might want to look at this:
http://portal.acm.org/citation.cfm?id=1263871

I think it is very similar to what you want to achieve.

Regards,

Ludwig

-- 
Ludwig Seitz, PhD             |   Axiomatics AB
Training & Development        |   Electrum 223
Phone: +46 (0)760 44 22 91    |   S-164 40 Kista, Sweden
Mail: ludwig@axiomatics.com   |

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]