RE: [xacml] PDP REST Interface - proposal

[Hal Lockhart <hal.lockhart@oracle.com>]

I think we should first decide if we want to do a naked http protocol for decision requests. It seems to me that this is the target to aim for as the existing decision request protocol is the most widely implemented part of XACML and it is needed by every PEP, of which are there will always be many more than PDPs, PAPs, etc.

Assuming this is accepted as a goal, I suggest one principle. The protocol should support most or all of the functionality of the existing protocol. At least it should allow the transmission of all the flavors of attributes and categories and the return of obligations and advice. If we want to limit the functionality, we could omit things like multiple requests and signed responses.

I am happy with making the most common type of request, access subject only, plus resource and action as easy as possible. But I don't want to create a situation that if you want more power than say ACLs give, you have to use a totally different approach (e.g.. the SAML/SOAP) one. This will have the result of promoting the use of non-XACML policy models, since the power will in practice not be accessible anyway.

In summary, my corollary to Bill Joys old maxim is: Easy stuff should be easy, hard stuff should be possible, and only more difficult in proportion to its complexity.

Hal

> -----Original Message-----
> From: remon.sinnema@emc.com [mailto:remon.sinnema@emc.com]
> Sent: Wednesday, May 25, 2011 3:49 AM
> To: Anil.Saldhana@redhat.com
> Cc: xacml@lists.oasis-open.org; david.brossard@axiomatics.com
> Subject: RE: [xacml] PDP REST Interface - proposal
> 
> 
> Anil/TC,
> 
> 
> From: Anil Saldhana [mailto:Anil.Saldhana@redhat.com] 
> Sent: Wednesday, May 25, 2011 12:12 AM
> To: David Brossard
> Cc: xacml@lists.oasis-open.org
> Subject: Re: [xacml] PDP REST Interface - proposal
> 
> >> XACML is a XML language that defines access control rules. 
>  If we want to use json as one of the authoring means, we 
> have to rename it to jacml. ;) <<
> 
> The X in XACML stands for eXtensible, not for XML. The spec 
> makes it clear that an implementation is not required to use 
> XML at all. For instance, Section 3.2 states that
> "The PDP is not required to operate directly on the XACML 
> representation of a policy.  It may operate directly on an 
> alternative representation".
> 
> Having said that, Section 2 mentions that
> "XML is a natural choice as the basis for the common 
> security-policy language, due to the ease with which its 
> syntax and semantics can be extended to accommodate the 
> unique requirements of this application, and the widespread 
> support that it enjoys from all the main platform and tool vendors."
> 
> So I don't think there is anything that prevents us to look 
> at alternatives to XML. JSON makes a lot of sense for a web 
> client perspective, and it shouldn't be too hard to define a 
> XML -> JSON mapping for the XACML requests and responses.
> 
> Thanks,
> Ray
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 
>