Greg,
On further reflection, I have concerns about the proposal to include XACML Conditions in a SAML Assertion.
My question is, what exactly do you propose to do with the condition expression? I can think of at least four possible operations which might be performed:
1. Compute the expression value using the input attributes,
2. Find the attributes needed to compute the expression value,
3. Find attributes which produce a particular expression value, e.g. TRUE, and
4. Compare two different expressions (e.g. in the SAML Assertion and in the XACML Policy) to determine if they will give the same result.
XACML only really says how to do #1. We generally can manage to do #2 for conventional attributes, but I am not sure how it would work for the advanced, privacy preserving credentials you described on the last call.
I believe that #4 is NP-complete in the general case.
Can you outline exactly what steps would be performed in making use of a condition in a SAML (attribute) assertion?
Hal
>
Original Message-----
> From: Rich.Levinson
> Sent: Wednesday, November 03, 2010 10:50 PM
> To: xacml@lists.oasis-open.org
> Subject: [xacml] Groups - Asserting attribute predicates in SAML and
> XACML (XACML_TC_Conditions_in_SAML-XACML[1].ppt) uploaded
>
>
> (Resending this message as non-std chars in Subject line may have
> caused illegibility.)
>
> Primelife Project:
> Greg Neven of IBM Research, Zurich presented an overview of
> the Primelife
> Project with proposals of how XACML and SAML may be able to
> address various
> requirements associated with this work. A paper from the W3C-sponsored
> Workshop on Access Control that Greg presented may be found here for
> background reference:
> http://www.w3.org/2009/policy-ws/papers/Neven.pdf
>
> Notes from the TC meeting discussion may be found here:
> http://lists.oasis-open.org/archives/xacml/201010/msg00011.html
>
> -- Rich Levinson
>
> The document named Asserting attribute predicates in SAML and XACML
> (XACML_TC_Conditions_in_SAML-XACML[1].ppt) has been submitted by Rich
> Levinson to the OASIS eXtensible Access Control Markup
> Language (XACML) TC
> document repository.
>
> Document Description:
> Primelife Project:
> Greg Neven of IBM Research, Zurich presented an overview of
> the Primelife
> Project with proposals of how XACML and SAML may be able to
> address various
> requirements associated with this work. A paper from the W3C-sponsored
> Workshop on Access Control that Greg presented may be found here for
> background reference:
> http://www.w3.org/2009/policy-ws/papers/Neven.pdf
>
> Notes from the TC meeting discussion may be found here:
> http://lists.oasis-open.org/archives/xacml/201010/msg00011.html
>
> View Document Details:
> http://www.oasis-open.org/committees/document.php?document_id=39960
>
> Download Document:
> http://www.oasis-open.org/committees/download.php/39960/XACML_
TC_Conditions_in_SAML-XACML%5B1%5D.ppt
PLEASE NOTE: If the above links do not work for you, your email application
may be breaking the link into two pieces. You may be able to copy and paste
the entire link address into the address field of your web browser.
-OASIS Open Administration
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php