OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] Risk adaptive vs BTG


I think Paul has expressed my intent better than I did.  I do see BTG as a specific instance of a more general category of use cases (perhaps not unlike the XSPA demo I saw at OASIS IdM last fall).  David, I do like the second formulation of BTG (using obligations) better.  I suppose I would suggest a broader discussion of how the TC would like to address this category of work over the long term. 

-----Original Message-----
From: Tyson, Paul H [mailto:PTyson@bellhelicopter.textron.com] 
Sent: Friday, February 11, 2011 11:48 AM
To: xacml
Subject: RE: [xacml] Risk adaptive vs BTG

I think John was attempting to classify BTG as a special case of something more generic.  I agree with this line of investigation (though not necessarily with his suggestion that it is an instance of RAAC).

David's proposal looks like a very particular solution to what might be a more general problem, and if that is true we would arrive at a better standard by analyzing a range of related use cases to abstract the essential elements into a general case.

Regards,
--Paul

> -----Original Message-----
> From: David Chadwick [mailto:d.w.chadwick@kent.ac.uk]
> Sent: Friday, February 11, 2011 13:26
> To: xacml
> Subject: [xacml] Risk adaptive vs BTG
> 
> The minutes of the last telecon stated "John Tolbert.. [suggested that 
> BTG] may be more appropriately referred to as Risk Adaptive Access
>    Control."
> 
> I do not agree with this for the following reasons
> 
> 1. Risk adaptive access control has mechanisms to both override grants 
> and turn them into denies (when the risk is high) and override denies 
> and turn them into grants (when the risk is low).
> 
> 2. Risk adaptive access control relies on intelligent machine 
> components to make the risk decisions and decide whether to reverse 
> the PDP's decision.
> 
> BTG has neither of the above.
> 
> 3. BTG only allows a deny to be turned into a grant 4. BTG relies on 
> the intelligent authorised user to make the BTG override decision at 
> the time of access
> 
> Regards
> 
> David
> 
> 
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security School of Computing, 
> University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick@kent.ac.uk
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site:
> http://www.cs.kent.ac.uk/research/groups/iss/index.html
> Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5
> 
> *****************************************************************
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that 
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]