30 messages in org.oasis-open.lists.xacmlRE: XACML TC Charter Revision - Strawman| From | Sent On | Attachments |
|---|---|---|
| Damodaran, Suresh | Jun 6, 2001 4:46 pm | |
| Hal Lockhart | Jun 7, 2001 11:13 am | |
| Damodaran, Suresh | Jun 7, 2001 12:20 pm | |
| Hal Lockhart | Jun 7, 2001 2:36 pm | |
| Pilz, Gilbert | Jun 7, 2001 2:44 pm | |
| bill parducci | Jun 7, 2001 2:54 pm | |
| Damodaran, Suresh | Jun 7, 2001 4:34 pm | |
| Pilz, Gilbert | Jun 7, 2001 6:25 pm | |
| Hal Lockhart | Jun 8, 2001 7:12 am | |
| Hal Lockhart | Jun 8, 2001 7:31 am | |
| bill parducci | Jun 8, 2001 9:20 am | |
| Hal Lockhart | Jun 8, 2001 11:17 am | |
| bill parducci | Jun 8, 2001 11:33 am | |
| Hal Lockhart | Jun 8, 2001 11:57 am | |
| bill parducci | Jun 8, 2001 1:22 pm | |
| Hal Lockhart | Jun 8, 2001 2:08 pm | |
| bill parducci | Jun 8, 2001 2:31 pm | |
| Simon Y. Blackwell | Jun 8, 2001 8:18 pm | |
| Simon Y. Blackwell | Jun 8, 2001 8:49 pm | |
| Simon Y. Blackwell | Jun 8, 2001 9:04 pm | |
| Simon Y. Blackwell | Jun 8, 2001 9:19 pm | |
| Michiharu Kudoh | Jun 10, 2001 9:27 am | |
| Hal Lockhart | Jun 11, 2001 9:44 am | |
| Ken Yagen | Jun 11, 2001 11:36 am | |
| Hal Lockhart | Jun 11, 2001 12:58 pm | |
| bill parducci | Jun 11, 2001 1:11 pm | |
| Simon Y. Blackwell | Jun 11, 2001 1:26 pm | |
| Carlisle Adams | Jun 11, 2001 2:06 pm | |
| Simon Y. Blackwell | Jun 11, 2001 2:49 pm | |
| Carlisle Adams | Jun 13, 2001 2:46 pm |
| Subject: | RE: XACML TC Charter Revision - Strawman | |
|---|---|---|
| From: | Hal Lockhart (hal....@entegrity.com) | |
| Date: | Jun 7, 2001 11:13:33 am | |
| List: | org.oasis-open.lists.xacml | |
Sorry to be slow on this, but there is another issue I think we need to consider and include or explicitly reject. I will describe this informally because it is easier to express that way and I hope will be easier to understand. If we get some consensus we can worry about more precise expression.
Since this bears on the use of XACML by SAML, I have cross posted this.
As I understand it the current scope of the XACML schema is to express:
1. Some policy is "this".
SAML is interested in using XACML as a means of expressing a Authorization Policy Decisions. In other words something like:
2. The result of evaluating "this" is TRUE (or FALSE)
It seems to me that under the current charter for XACML, this should work.
However, in order to do this, SAML needs to be able to make a request for this to be done. Presumably, making the request does not require knowing what policies apply. Therefore it needs to be possible to say:
3. Please evaluate the policies that apply to target X. Here are some inputs that may be needed for this decision. [The PDP will fill in any missing values, either by observing them for itself (e.g. date/time) or by using default values (e.g. unauthenticated subject).]
It seems to me that XACML could help with this. For example, XACML will certainly have to define a generalized syntax for expressing the name of a target.
Also, if you can say:
a) True if signinglimit > $5000
Then similar syntax could be used to express:
b) Current value of signinglimit = $10,000
Any opinions?
Hal
-----Original Message----- From: Damodaran, Suresh [mailto:Sure...@stercomm.com] Sent: Wednesday, June 06, 2001 7:45 PM To: 'xac...@lists.oasis-open.org' Subject: RE: XACML TC Charter Revision - Strawman
Here is the revised TC Charter - from the lack of email on this thread in the past few days, I am assuming that all the comments are already in.
Notes: 1. Changes from previous version: a) "subject" has been replaced by "target" b) "CORBA CSIv2" replaced by "LDAP" 2. Charter is silent on the mechanisms for executing the policy (PDP and PEP). 3. Non-goals of XACML are missing (if any of you want to take a stab at it, please do)
Please send your comments.
--------------------------------------------------------------
--------------
---------------
Product of TC XACML TC will define a core XML schema for representing entitlement policies, also called XACML
Policy Target The target of a policy (hereafter referred to as "target") can be any object that can be referenced in XML.
Protocols and bindings XACML TC will define new protocols or identify bindings to existing protocols (e.g., XPath, LDAP) intended as means of accessing and communicating the policies
Scope XACML is expected to address fine grained control of authorized activities, the effect of characteristics of the access requestor, the authorization protocol over which the request is made, authorization based on classes of activities, and content introspection (i.e. authorization based on both the requestor and potentially attribute values within the target where the values of the attributes may not be known to the policy writer)
Extensibility XACML core schema is extensible for as yet unknown features
Interoperability
XACML TC will define interoperability of XACML core schema with other standards.
Simon Blackwell Suresh Damodaran Fred Moses