OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

A dynamic revocation model for XACML

  • 1.  A dynamic revocation model for XACML

    Posted 07-01-2008 20:32
    All,
    
    Back when I worked as a researcher at the Swedish Institute of Computer 
    Science, I and a colleague of mine, Ludwig Seitz, wrote a paper on a 
    revocation model for XACML.
    
    The paper was intended for academic publication, but it was difficult to 
    make a good presentation of the topic, since covering it fully would 
    essentially mean to duplicate the delegation profile to explain the 
    context of the work. We never got around to make it into a state where 
    it could be published at an academic workshop.
    
    SICS has published the paper in their technical report series. It is called
    
    "T2008-10 Context Dependent Revocation in Delegated XACML"
    
    and it is available here:
    
    http://www.sics.se/libindex.html
    ftp://ftp.sics.se/pub/SICS-reports/Reports/SICS-T--2008-10--SE.pdf
    
    You should read the full paper to get all the details, but the quick 
    summary is this: The paper presents a revocation model for the draft 
    delegation profile in 3.0, where the model could be summarized as "You 
    may revoke those policies which you could create yourself". The use case 
    is that administrators may change positions, in which case each 
    administrator should be able to handle those policies which are his 
    duties, whether they were issued by him in person, or someone else. This 
    is in contrast to the more typical revocation model, for instance in 
    X.509 PKI, where the issuer of something is the authority of revocation. 
    In the model we wanted the already existing administrative policies also 
    to define the scope of rights to revoke policies in addition to the 
    scope of rights to issue policies.
    
    It is our hope that this will be beneficial to XACML and the XACML 
    community.
    
    Best regards,
    Erik