I agree with Michiharu. To restate: 1) Return a set of obligations with the understanding that the PEP is expected to DENY access if it does not understand any one of the obligations. This is better than the PEP trying to tell the PDP ahead of time which obligations it does understand. The "deny if not understood" method has been working fine for PKIX critical extensions. 2) Obligations associated with an authorization decision of DENY are perfectly reasonable. For example, "DENY" access and log the fact that this user tried to gain access. "Michiharu Kudoh" <
KUDO@jp.ibm.com> wrote: >Date: Wed, 09 Oct 2002 20:24:14 +0900 >Based on the discussion on the list, >- Bill and I are in agreement. >- Daniel seems to be uncomfortable with an authorization decision like DENY >with obligation(s). >- Polar seems suggesting to include understandable obligations in the >request context to avoid emitting no-understandable obligations to PEP from >PDP. > >My opinion is that DENY with obligation (e.g. deny provided access must be >logged) is still useful for some applications e.g. security policy for a >firewall server and an authentication server. For example, "DENY with >notify-admin" means that the access is rejected but the notification of the >access must be sent to admin. The TC approved to include this long time >ago. > >For the no-understandable obligations, the Polar's suggestion to include >understandable obligations in request context might be one option. It >definitely eliminates the case when the PEP receives non-understandable >obligation from the PDP. But I have a slight concern. What if there are >hundreds of obligations the PEP understands? Then I don't think it is an >efficient way to mandate to include all the understandable obligations in >each access request because it may make access request very large, even if >such information is irrelevant to many access requests. Another way would >be to create a communication protocol between PDP and PEP to exchange a >list of understandable obligations, but it seems outside the scope of >XACML. XACML should focus on what decision must be generated in response to >what decision request. Therefore, I would prefer my original definition >that includes the case when the PEP does not understand the obligation. > >Michiharu Kudo > >IBM Tokyo Research Laboratory, Internet Technology >Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428 > > > > > >---------------------------------------------------------------- >To subscribe or unsubscribe from this elist use the subscription >manager: <
http://lists.oasis-open.org/ob/adm.pl > Anne --------- Anne Anderson
Anne.Anderson@Sun.COM Internet Security Research Group Sun Labs, Burlington, MA Phone: 781-442-0928