OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Comment on NIST/NCCOE draft -- existing XACML architecture artifacts?

Hal, all--Thanks--that looks like material that might be used. 

However, I looked again at the other recent NCCOE paper, the so-called ABAC Building Block.  That is referenced in the draft SP 1800-3b ("b" is the "medium-sized" volume of the set that we have been discussing)  one time in a footnote, not very prominently, as a "white paper."  However, in that ABAC Building Block paper is a pretty good logical diagram, here:

Inline image 1

(I could quibble about how a few things are represented, but this looks like a good 80% solution.) 

Here's a link to the whole document:

Assuming that it would be easier and more acceptable to NIST to add material from one of their own docs to the draft 1800-3, we might just suggest that they include this diagram as a logical architecture before presenting their physical (product-specific) solution diagram. We might even suggest they highlight the parts of this diagram that the physical solution covers (which is most of it.) 

Looking past the proposed suggestion to include a logical ABAC architecture diagram, does anyone have other observations on the draft 1800-3?

And do we agree that we can endorse the above diagram as--is, or do people want to ask them to tweak it?

Whatever we do, we need to do it pretty soon:

Comments on this publication may be submitted to: abac-nccoe@nist.gov
Public comment period: September 30, 2016 through December 4, 2016


PS-- I also promised last meeting to locate and send around the functional capabilities which the 1800-3 physical implementation sought to demonstrate. Here they are: 

The scope of this build is the successful execution of the following capabilities:
 identity and attribute federation between trust partners
 user authentication and creation of an authentication context
 fine-grained access control through a policy enforcement point (PEP) closely coupled with the
 creation of attribute-based policy definitions
 secondary attribute requests
 allowing RP access decisions on external identities without the need for pre-provisioning

On Thu, Nov 12, 2015 at 11:49 AM, Hal Lockhart <hal.lockhart@oracle.com> wrote:

I think it was me not Rich.


What I had in mind was something like section 3.1 of the core spec.


Also I and others have done many overview of XACML/ABAC architecture presentations over the years. For example, This presentation Prateek and Rich did at RSA in 2009.  https://www.oasis-open.org/committees/download.php/22335/RSA-V09.ppt


Or the attached one I created for the 2012 RSA Showcase.





From: Martin Smith [mailto:bfc.mclean@gmail.com]
Sent: Wednesday, November 11, 2015 3:46 PM
To: rich levinson; William Parducci
Subject: [xacml] Comment on NIST/NCCOE draft -- existing XACML architecture artifacts?




Last meeting in discussing possible TC comment on the NIST/NCCOE draft, I believe Rich expressed reluctance to make a comment like "you should do more work to make x change in your document" rather than offering specific text adds or changes. He also suggested that there might be something produced in the TC in the past that could be offered as a logical architecture to be added to the NIST doc. (Addition of a non-product-specific architecture diagram to the NIST document was my suggested comment.)


So, this is just a reminder to ask if Rich or anyone can suggest a TC-produced artifact that we might provide to NIST for incorporation in the document. 





Martin F Smith, Principal

BFC Consulting, LLC

McLean, Va 22102

Martin F Smith, Principal
BFC Consulting, LLC
McLean, Va 22102
703 506-0159
703 389-3224 mobile

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]