MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: FW: [security-services] Proposed Agenda for SAML 2.0 F2F. Forwarded message from Mishra, Prateek.
SAML AuthzDecisionQuery/Resp people,
Any objections to this schedule? We would have time on Tuesday
to do our side-session (time still unspecified, but RSA would
provide facilities), and then present our joint AuthzQuery
proposal to the SSTC on Wednesday from 9-10:30.
I am also including the latest version of the Abstract
Requirements list. Note that these are candidate requirements -
being on the list does not mean we have agreed yet. This list
does not include anything for step 1 of multi-step authorization,
because it seems that should be a separate type of
"AttributeQuery", not necessarily handled by a PDP. I will put
it on the list for discussion if the OGSA people still think it
should be part of the AuthzQuery.
Anne
Title: Abstract Requirements for SAML AuthorizationDecisionQuery/Response
Author: Anne Anderson
Version: 1.2, 03/08/28 (yy/mm/dd)
1. Way to pass an XACML Request Context in the Query and an XACML
Response Context in the Decision. Should not extend
SubjectQueryAbstractType and SubjectStatementAbstractType
because Subject element is redundant and inconsistent.
2. Way to indicate in the Query that an (note might not match
input Request) XACML Request Context is to be returned as part
of the Decision.
3. Way to indicate in the Query whether the PDP is free to
collect Attributes for use in making the Decision from sources
other than the XACML Request Context passed in the Query.
4. Associate a DataType with an Issuer name, such that the name
can be determined to be a string, an X.500 Distinguished Name,
etc.
5. Way to return an XACML Policy/PolicySet in a Decision as a
condition that must evaluate to "Permit" in order for the
Decision to be valid. Way to indicate that such a condition
is associated with the Decision. Might be appropriate to put
this condition and indication into the XACML Response Context
itself.
6. Way to pass an XACML Policy/PolicySet in a Query along with
an indication that such a policy is being supplied and whether
this Policy/PolicySet is to be used alone or in conjunction
with other Policies/PolicySets available to the PDP in
evaluating the Query.
7. Better correspondence between SAML Attribute format and XACML
Request Context Attribute format such that SAML Attributes can
be translated into XACML Request Context Attributes
mechanically and easily.
8. SAML Policy Statement syntax, allowing an issuer to state and
sign an XACML Policy/PolicySet.
9. SAML Policy Query syntax, allowing a PDP to request a Policy/PolicySet
by its Policy[Set]Id from an on-line Policy Administration
Point (are there any online PAPs? If not, no need for this).
------- start of forwarded message -------
From: "Mishra, Prateek" <pmishra@netegrity.com>
To: "'Anne.Anderson@Sun.com'" <Anne.Anderson@sun.com>
Subject: FW: [security-services] Proposed Agenda for SAML 2.0 F2F
Date: Fri, 29 Aug 2003 09:43:36 -0400
Anne,
Here is the proposed agenda. Our thinking was that if XACML needed a
"side-session",
this could be accomplished on Tuesday. Rob has indicated that RSA would make
the
needed facilities available.
Does it work for you?