MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: Re: [xacml] Mon 29th concall - URGENT
Hi
i will not be able to participate in the concall also (i am out of the office)
best
-p
On Mon, 29
Apr 2002, Michiharu Kudoh wrote:
>
> I will not be able to join the confcall today because of the schedule
> conflicts. Since I had little time to update the current proposal, I just
> attach below the same document I sent the other day, and also attach the
> XACML Context schema and XACML Response Context schema without any
> modification from the discussion in F2F in Milan.
>
> Best regards,
> Michihairu Kudo
>
> IBM Tokyo Research Laboratory, Internet Technology
> Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
> ===============================================================
> Proposal Draft for XACML Context
> April 23, 2002
> Author: Michiharu Kudo
>
> This proposal introduces an XACML Context that defines input parameters to
> XACML policy evaluation engine. A primary purpose of the XACML Context is
> to facilitate the attribute expression that refers to input parameters of
> the XACML.
>
> 1. Issues
> When XACML policy evaluation processor tries to retrieve values specified
> in SAML Request, it potentially causes the following problems:
>
> - A policy writer needs to add a couple of information that may not be
> included in SAML Request, e.g. distinction between subject attribute and
> resource attribute.
> - XACML policy specification greatly depends on SAML Request syntax and the
> semantics that may be updated from time to time.
> - Since several assertion specification format/syntax/semantics have been
> proposed/deployed, SAML dependent XACML policy specification may reduce the
> applicability of XACML policy specification.
>
> 2. XACML Context
> We introduce the notion of XACML Context that functions as an intermediate
> assertion-neutral input data structure. XACML Context is represented by an
> XML document (logically it is not necessarily a physical XML instance but
> hypothetical XML document) that contains enough information for XACML
> processor such as subject attributes (e.g. role of the requesting
> principal), resource attributes (e.g. size of resource), and miscellaneous
> attributes (e.g. current time). While we assume that all the input to XACML
> Context is retrieved from the corresponding SAML Request, there is a case
> where the PDP supplies a set of attribute type-value pairs for subjects and
> resources. It depends on configuration of PDP.
>
> 2.1 Merits
> - XACML Policy specification becomes simpler with respects to attribute
> reference and its expression.
> - XPath computation is done only once when the transformation from
> original access request to XACML Context is performed.
> - XACML processor does not have to compute XPath expression on target
> XML resource that might cause performance bottleneck particularly when the
> target XML is huge.
> - When target resource is XML, XACML policy does not have to be aware
> the difference between remote XML instance (referred by URI) and local XML
> instance embedded in original access request.
>
> 2.2 Proposal
>
> 1. XACML policyStatement (and/or policySetStatement) specifies optional
> <transforms> element that defines the syntax and the semantics of the XACML
> Context.
>
> 2. <transforms> is described using XSLT syntax.
>
> 3. When <transforms> element is specified in <policyStatement>, PDP
> performs a set of transformations against the SAML Request (if access
> request is represented in SAML) and the requested XML target resource (if
> target is XML resource)
>
> 4. Once the transformation is performed, input to the XACML processor
> including access request and relevant information is specified as a
> potentially simple XML document which element name is easily referred by
> simple XPath expressions (e.g. /context/subject/NameIdentifier) in both
> <target> section and <condition> section.
>
> 5. Through the face-to-face discussion by TC members, we decided to
> define an XML schema for XACML Context.
> The following figure shows a data-flow of XACML Context-based Architecture.
> (refer to the pdf or word file)
>
> ============================================================
> XACML Context Schema (temporary result from the F2F discussion, may not be
> valid)
>
> <?xml version="1.0" encoding="UTF-8"?>
> <schema xmlns:xs="http://www.w3.org/2001/XMLSchema"; elementFormDefault
> ="unqualified" attributeFormDefault="unqualified">
> <complexType name="ContextType">
> <sequence>
> <element ref="xacml:ContextPrincipal"/>
> <element ref="xacml:ContextResource"/>
> <element ref="xacml:ContextAction">
> <element ref="xacml:ContextRequestParameters"/>
> <element ref="xacml:ContextOther"/>
> </sequence>
> </complexType>
>
> <element name="ContextPrincipal" type="xacml:ContextPrincipalType"/>
> <complexType name="ContextPrincipalType">
> <sequence>
> <element ref="xacml:PrincipalSpecifier" minOccurs="1" maxOccurs
> ="unbounded"/>
> <element ref="xacml:Assertion" minOccurs="0" maxOccurs="unbounded"/>
> </sequence>
> </complexType>
>
> <complexType name="PrincipalSpecifierAbstractType" abstract="true"/>
>
> <element name="SimplePrincipalSpecifier" type
> ="xacml:SimplePrincipalSpecifierType"/>
> <complexType name="SimplePrincipalSpecifierType">
> <complexContent>
> <extension base="xacml:PrincipalSpecifierAbstractType">
> <choice>
> <sequence>
> <element ref="NameIdentifier">
> <element ref="SubjectConfirmation" minOccurs="0"/>
> </sequence>
> <element ref="SubjectConfirmation"/>
> </choice>
> </extension>
> </complexContent>
> </complexType>
>
> <element name="ContextResource" type="xacml:ContextResourceType"/>
> <complexType name="ContextResourceType">
> <sequence>
> <element ref="xacml:ResourceSpecifier"/>
> <element ref="xacml:Assertion" minOccurs="0" maxOccurs="unbounded"/>
> </sequence>
> </complexType>
>
> <element name="ResourceSpecifier" type="xacml:ResourceSpecifierType"/>
> <complexType name="ResourceSpecifierType">
> <sequence>
> <element ref="Content" minOccurs="0"/>
> </sequence>
> <attribute name="uri" type="anyURI" use="optional"/>
> </complexType>
>
> <element name="Content" type="anyType"/>
>
> <element name="ContextAction" type="xacml:ContextActionType"/>
> <complexType name="ContextActionType">
> <element ref="xacml:ActionSpecifier"/>
> </complexType>
>
> <element name="ContextRequestParameters" type
> ="xacml:ContextRequestParametersType"/>
> <complexType name="ContextRequestParametersType">
> <sequence>
> <element ref="xacml:Parameter" minOccurs="0" maxOccurs="unbounded"/>
> </sequence>
> </complexType>
>
> <element name="ContextOther" type="xacml:ContextOtherType"/>
> <complexType name="ContextOtherType">
> <sequence>
> <element ref="xacml:Assertion" minOccurs="0" maxOccurs="unbounded"/>
> </sequence>
> </complexType>
>
> <element name="xacml:Assertion" type="xacml:AssertionType"/>
> <complexType name="AssertionType">
> <sequence>
> <choice maxOccurs="unbounded">
> <element ref="xacml:AuthenticationStatement"/>
> <element ref="xacml:AuthorizationDecisionStatement"/>
> <element ref="xacml:AttributeStatement"/>
> </choice>
> </sequence>
> <attribute name="Issuer" type="string" use="required"/>
> <attribute name="IssueInstant" type="dateTime" use="optional"/>
> </complexType>
>
> <complexType name="AbstractStatementType" type="abstract">
> <sequence>
> <element ref="xacml:AssnSubject" minOccurs="0" maxOccurs="1"/>
> </sequence>
> </complexType>
>
> <element name="AssnSubject" type="xacml:AssnSubjectType"/>
> <complexType name="AssnSubjectType">
> </complexType>
> <complexType name="AuthenticationStatementType">
> <complexContent>
> </complexContent>
> </complexType>
> </schema>
>
>
> ============================================================
> XACML Response Context Schema (temporary result from the F2F discussion,
> may not be valid!)
>
> <?xml version="1.0" encoding="UTF-8"?>
> <schema xmlns:xs="http://www.w3.org/2001/XMLSchema"; elementFormDefault
> ="unqualified" attributeFormDefault="unqualified">
>
> <element name="ResponseContext" type="xacml:ResponseContextType"/>
> <complextType name="ResponseContextType">
> <sequence>
> <element ref="xacml:Decision" minOccurs="1" maxOccurs="1"/>
> </sequence>
> </complexType
>
> <element name="Decision" type="xacml:DecisionType"/>
>
> <element name="Permit" type="xacml:EffectDecisionType"/>
> <element name="Deny" type="xacml:EffectDecisionType"/>
> <element name="Indeterminate" type="xacml:IndeterminateDecisionType"/>
>
> <complexType name="DecisionType" abstract="true"/>
>
> <complexType name="EffectDecisionType">
> <extension base="DecisionType">
> <sequence>
> <element ref="xacml:Oligations">
> </sequence>
> </extension>
> </complexType>
>
> <complexType name="IndeterminateDecisionType">
> <extension base="DecisionType">
> <sequence>
> <element ref="xacml:Advice">
> </sequence>
> </extension>
> </complexType>
>
> <element name="Obligations" type="xacml:ObligationsType"/>
> <complexType name="ObligationsType">
> <sequence>
> <element ref="xacml:Obligation" minOccurs="0" maxOccurs="unbounded"/>
> </sequence>
> </complexType>
>
> <element name="Obligation" type="xacml:ObligationType"/>
> <complexType name="ObligationType">
> <attribute name="uri" type="anyURI"/>
> <sequence>
> <element ref="xacml:Parameter" minOccurs="0" maxOccurs="unbounded"/>
> </sequence>
> </complexType>
>
> <element name="Advice" type="xacml:AdviceType/>
> <complexType name="Advice" type="xacml:AdviceType">
> .....
> </complexType>
> </schema>
>
>
>
>
>
> ernesto damiani
> <edamiani@crema To: Anne.Anderson@Sun.com, XACML TC <xacml@lists.oasis-open.org>
> .unimi.it> cc:
> Subject: [xacml] Mon 29th concall - URGENT
> 2002/04/29
> 18:28
> Please respond
> to ernesto
> damiani
>
>
>
>
>
>
> Dear all,
> I hope you all had a safe trip back and carry not-too-bad memories of your
> stay in Italy.
> As it was decided at the F2F the agenda for today concall will be
>
> 1. discussing and hopefully approving Michiharu's (and Simon) proposal for
> XACML context that was sent to the list a couple of days ago. Tim comments
> would be useful here.
>
> 2. As a possible second point, I would also like to remind you that we
> still
> do not have a description on our activity on the Web; Michiharu asked for
> one.
> Here is my proposal:
>
> "The Schema subcommittee is aimed at :
> 1. developing XACML access control model into an XML Schema (and its
> associated namespace)expressing normative XACML 1.0 syntax .
> 2. providing examples of policies written in XACML based on real-world use
> cases
> 3. providing general, non-normative guidelines for implementation and
> conformance tests."
>
> Anyway points two and three could be deleted if you believe we have already
> our hands full at the moment.
>
> IMPORTANT: I had a sudden health problem (nothing serious a terrible
> tootache and my face is half swollen). I am waiting for a call from my
> dentist telling me when I can go and if it is during concall hours I won't
> be able to attend. Sorry..
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
>
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC