OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xdi message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Transcript of XACML questions/answers


Anne and Hal,

Thank you both again for taking an hour of your evening to attend our call
on Monday. It was very widely appreciated by everyone on the TC, whose
understanding for XAMCL was considerably increased.

Following are my own relative brief transcriptions of your answers for those
XDI TC members who could not make the call. Feel free to elaborate on any of
them if I missed key points.

Thank you again,

=Drummond 

TRANSCRIPT OF XAMCL Q&A FROM XDI TC 4/19 TELECON WITH ANNE ANDERSON & HAL
LOCKHART

* How do you pronounce "XACML"? (Is it "Ex-akML" or "ZakML" - we've heard
both.)

Hal: Mostly "Egg-ackML", but there is no one true way.

* Does XACML only work against XML-described resources, i.e., XML documents,
or can it provide access control for any URI-identifiable resource?

Hal: It can work against any resource that is either URI or XPath
addressable. 

* At first reading it's not clear exactly how XACML reference policies,
policy elements, attributes, etc. It appears to use both URIs and XPath
expressions. Is one or the other preferred? Are their other referencing
mechanisms?

Hal: It is mandatory that implementations support URIs (technically, it's an
anyURI datatype). You can ALSO specify an XPath expression against the input
context, but this is always optional.

In practice, the specification frequently identifies actual attribute values
with URNs.

* How should we reconcile the XACML glossary definitions of "Resource" and
"Subject" and the URI/XRI glossary definition of "Resource" (anything
identifiable) which would include "Subjects"? What is the XACML equivalent
of what the XRI & XDI glossary calls an "Authority" (a Resource that
controls other Resources)?

Hal: XAMCL deals with 4 broad categories of entities: Subjects (and their
attributes), Resources (and their attributes), Actions (and their
attributes), Environment (and their attributes). Resource is most important,
Action is second most important.

Anne: Probably the best reconciliation is that XACML classifies what URI/XRI
calls "resources" into specific classes. A Subject must be a system entity,
capable of having an authenticatable identity.

Hal: The closest thing to an Authority is a PEP (Policy Enforcement Point.)

* Given our description of XDI link contracts - XDI documents that govern
the sharing of other XDI documents - is there a reason that XDI link
contracts should favor: a) physically containing instances of the XACML
policies the author wants to bind with specified data, or b) referencing
those policies externally with XRIs? Or does it not matter?

Hal: It doesn't matter The goal has been to allow implementations to be as
flexible as possible. Trying to support PEPs and PDPs to be configured and
distributed any way they want.

Anne: If you look at the Sun open source implementation, it implements an
PolicyFinder module. The identifier of a policy can be a URI; how the policy
is resolved and returned is up to the implementation.

Hal: This is subtle, but the information in the context can be used to
determine the policies that apply. Since a policy can apply to many
resources, it is up to the PEP to determine what policies may apply in a
particular context. This specifically allows: a) decentralized
administration of the policies, and b) dynamic decisionmaking about the
policies. In many cases, the resource being requested and the other context
inputs may be determined dynamically by the PEP and PDP, and may not be
named explicitly in the request.

* Clearly XACML policies are intended to be portable across an authority,
such as a single enterprise. Are they also intended to be portable across
authorities, such as across the members of a consortium?

Hal: There has been lots of discussion about portability. There may be some
limitations about policies being ported, but in general this should be
possible.

Anne: Example of a portable policy: the patient is allowed to read their own
medical records. This could be structured to be portable. An example might
be that a set of health-care policies are mandated by a legislative body,
and then must be adopted by all the doctors and hospitals under its
jurisdiction.

* Obligations - how are they expressed?

Hal: Using URIs.

* How did the XACML TC develop it's policy combining algorithm?

Hal: To his knowledge, it was new at the XACML TC.

* Could an XACML policy be used to describe the usage controls on a shared
piece of data? For example, could Authority A share Resource X (say a home
phone number) with Authority B and have the link contract specify that
Authority B may only allow access (in their own domain) to Resource X under
XACML Policy Y?

Hal: Yes, this should work, as long as they each have PDPs (policy decision
points) that can process the policies. XACML 1.0 and 1.1 was developed
around a fairly static model (policies pre-exist). 2.0 supports a more
dynamic model. 

Anne: The two authorities could pass the policy between them.

Hal: It would be more efficient for the policy providers to share the same
policy by reference. Resources can have an attribute that is what the PDP
looks for to apply that particular policy.

* At the SIMC meeting in New York in February, Hal Lockhart mentioned that
an XACML policy could be used to select the set of nodes in an XML document
that satisfy that policy. Is this the case? (This could be enormously useful
in XDI, as policies could be a particular efficient way of selecting subsets
of data to be shared from a larger XDI document.)

Hal: Yes, if a policy applies to a hierarchical resource, it can select
specific nodes that satisfy the policy. The result will actually be an XML
document that is compliant with the same schema as the source document. Note
that this is not strictly an XAMCL feature, but something that can be
implemented with XAMCL.

* Do you see XRIs and XDI as one means of accomplishing the "policy
referencing and retreival" and "attribute value resolution" processes that a
PDP must execute in order to assemble a fully-resolved XACML authorization
decision request?

RAN OUT OF TIME DEFERRED THIS QUESTION TO A FUTURE SESSION

* Are there other ways in which XRIs and XDI might be helpful to XACML?

RAN OUT OF TIME DEFERRED THIS QUESTION TO A FUTURE SESSION

* What is the status of XACML 2.0? When are the specifications expected?
Should that be our target for compatibility?

Hal: Trying to wrap up the 2.0 work this spring, with the goal of having 2.0
as a standard this fall.

* Will XACML 2.0 be harmonized with SAML 2.0?

Hal: There is a will to do that on both sides. In some cases the issues are
on where does the work get done, and in some cases the issue is terminology
and referencing. We expect that there will be progress, but they may not be
in perfect harmony yet.

Anne: There is already a SAML profile of XACML.

Hal: This will allow digital signatures on policies and other security
functions.

* The XDI TC will be completing its requirements stage in early May and
beginning specifications. How would you recommend the XDI TC work with the
XACML TC to achieve the best synergy between our efforts?

Hal: We should continue this dialog, starting in New Orleans, and review the
XDI requirements when a draft is published.

 




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]