[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Attribute Categories
|
OK so sorry for the confusion. XACMLv3 requires a “category” for every attribute. It is mandatory for all attributes as it supersedes the former subject/resource/action/environment types. So to update the XACML profile to version 3 we have
to specify attribute categories for all the attributes we define. The concept of ‘category’ is introduced by XACML 3.0 and is not something we try to introduce.
For resources, actions, and environment, there is only one standard category defined in XACMLv3 core. But for subject attributes, XACMLv3 core defines 4 choices as I mentioned below. So we have to make a decision
here to either pick one of the standard subject categories defined by XACML 3.0 or define one of our own.
Regards, Mohammad From: xspa@lists.oasis-open.org [mailto:xspa@lists.oasis-open.org]
On Behalf Of Davis, John M. You will need to explain more fully what you mean. I’m hesitant to branch off into areas concepts that do not have existing standards bases. Primarily I refer to ISO 10181-3 (which can be obtained from ITU
for free) and NIST FIPS 188 for attributes of Security Labels. The HL7 Healthcare Privacy and Security Classification System has also defined concepts. The suggestions below have neither a standards basis or harmonization with core security standards. XSPA is first and foremost a healthcare profile of existing standards so we need to be cautious about introducing NEW concepts.
Regards, Mike From:
xspa@lists.oasis-open.org [mailto:xspa@lists.oasis-open.org]
On Behalf Of Mohammad Jafari One of the new features in XACML 3.0 is attribute categories which has replaced the static types subject, resource, action and environment. So, we need to specify the attribute categories for the XSPA attributes which is the subject
of the task XSPA-1. I notices that there are actually more than one categories defined in XACML 3.0 core. The standard (and the only mandatory) category for subjects is: urn:oasis:names:tc:xacml:1.0:subject-category:access-subject But it seems to me the optional category urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject is also relevant to the XSPA use-cases for the attributes of the receiving organization. There are also the following categories which could be considered: urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine We have the following options to use for the category of subjects in XSPA:
1.
access-subject
2.
recipient-subject
3.
intermediary-subject
4.
requesting-machine
5.
Define another XSPA-specific category Please share your what you think. I personally think we should use
access-subject for the end user attributes and
recipient-subject for the receiving organization. Regards, Mohammad |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]