OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] Attribute predicate profile for SAML and XACML


From: Gregory Neven [mailto:nev@zurich.ibm.com] 
Sent: Monday, May 23, 2011 3:57 PM
To: xacml@lists.oasis-open.org
Subject: Re: [xacml] Attribute predicate profile for SAML and XACML

>> As discussed during the last call, I think the answer to your question is yes, if I correctly understand authorization-based access control (ZBAC) correctly as follows. A user from domain A wants to access a resource hosted in domain B. In classical attribute-based access control (ABAC), domain B fetches the user's attributes from domain A and checks whether the policy associated to the resource is satisfied. In ZBAC, it is domain A that checks whether the user's attributes satisfy the policy. Our attribute predicate profile could indeed be used by domain B to send the policy (predicate) to domain A, who evaluates the predicate and certifies to B whether it holds or not. <<

This is what I thought too. But on second reading, I think differently.

I now interpret the article to mean that in ZBAC, the remote domain delegates some of its policy to the local domain. The local PDP performs the authorization decision based on that delegated policy, and sends the decision along with the request to the remote domain. Using various cryptographic tricks, the remote domain can check that the local PDP was allowed to make the authorization decision and honors it.

So, if my new understanding is correct, then the attribute predicate profile can't be used to implement ZBAC. Oh well.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]