And I'm
suggesting that we have other web services protocols that also can provision
policy like WS-MEX/Transfer/ResourceTransfer that need to be factored.
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Hal Lockhart" <hlockhar@bea.com>
I think there is a basic misunderstanding here. I did not mean to
suggest that XACML endorse the implementation of SPML 2.0. What I am proposing
is that we use parts of the schema and some of the semantics as appropriate as
the starting point to construct a XACML Policy Provisioning Protocol. This
would be exactly analogous to the Policy Request and Policy Decisions Protocols
in the XACML SAML Profile. Using these protocols does not require you to
support any other parts of SAML.
Hal
From: Anthony Nadalin [mailto:drsecure@us.ibm.com]
Sent: Tuesday, March 06, 2007 10:28 PM
To: Hal Lockhart
Cc: Prateek Mishra; xacml@lists.oasis-open.org
Subject: RE: [xacml] New Topic: Policy Provisioning
I think
that there are a number of issues:
1) Very large feature set, a number of capabilities in the core set belong to
web services development tools rather than provisioning, including schema and
capability discovery. This places a burden on implementing SPML 2. This poses
problems for vendors trying to implement SPML introducing the need to hand
craft SPML implementations and for IT organizations in hand crafting client
applications (requesting authorities) for those SPML providers rather than
being able to generate code from WSDL.
2) Insufficient description of integration with security. There is no
description of communication of the identity of the user submitting the request
(identity of the RA), which may be necessary for authentication, authorization,
and auditing. T
3) Insufficient feature set for enterprises wanting to develop simple self
service user interfaces with web services.
WS-MEX/Transfer may be one approach. One of the key problems that it addresses
is the need for out-of-band information that SPML does, which is related to the
first point above.
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Hal Lockhart"
<hlockhar@bea.com>
I don’t see any technical reason why SPML is inappropriate. Policy provisioning
has been discussed by the Provisioning TC as a usecase. In addition, there are
specific features of SPML, such as operators, batching, etc. which we would
have to reinvent if we do not use SPML. Do you see a specific technical problem
or have an alternative starting point in mind?
Hal
From: Anthony Nadalin
[mailto:drsecure@us.ibm.com]
Sent: Tuesday, March 06, 2007 10:27 AM
To: Prateek Mishra
Cc: Hal Lockhart; xacml@lists.oasis-open.org
Subject: Re: [xacml] New Topic: Policy Provisioning
Is SPML
the proper protocol for policy lifecycle mechanisms? Seems like a bit of a
stretch
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Prateek Mishra
<prateek.mishra@oracle.com>
Hal,
Your proposed approach is of interest to us.
I will obtain additional feedback on this issue and post the use-cases
of interest to us.
- prateek
> I have taken a further look at SPML and suggest the following might be a
> reasonable approach. Base the implementation on the SPML v2 - XSD
> Profile. Use Policy ID as the PSO Identifier. Using SPML defined
> operations the PAP can inquire of a PDP what policies it currently has.
> Using SPML the PAP can add, modify and delete policies as required.
> Using the SPML Batch capability, the PAP can insure that a set of
> updates is applied as a unit, thus avoiding the problem of the PDP
> making decisions on some inconsistent, interim set of policies. SPML
> also provides other potentially useful features such as error codes,
> asynchronous operations and capability queries.
>
> The main thing that this proposal requires is people who are willing to
> contribute to the work and edit the document.
>
> Hal
>
>