OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] XACML Obligations and SAML Conditions (?)

  • 1.  Re: [xacml] XACML Obligations and SAML Conditions (?)

    Posted 09-11-2003 13:35
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: Re: [xacml] XACML Obligations and SAML Conditions (?)


    
    
    
    
    Hi, Frank
    
    >>In the case of an xacml response, the obligations seems part of that
    response,
    >>and together constitute the statement. It is this complete statement that
    will
    >>be used by the pep after the validation of the assertion.
    
    I agree. My original thought was that the obligations in XACML response are
    associated with each decision (for a certain target resource) and handled
    by PEP. On the other hand, SAML assertion's condition means some condition
    on the statement, that is substantially different from the obligations. So
    my preference is not to bind XACML's obligation to SAML condition.
    
    Michiharu Kudo
    
    
                                                                                                                                           
                          Frank Siebenlist                                                                                                 
                          <franks@mcs.anl.g        To:       Polar Humenn <polar@syr.edu>                                                  
                          ov>                      cc:       XACML TC <xacml@lists.oasis-open.org>                                         
                                                   Subject:  Re: [xacml] XACML Obligations and SAML Conditions (?)                         
                          2003/09/11 01:01                                                                                                 
                                                                                                                                           
                                                                                                                                           
    
    
    
    Not sure if "considering" is the right wording ... as I understood it, it
    was a
    point of discussion that required resolution, and was added to the saml 2.0
    todo
    list. I just send in my 5c before I forgot ;-)
    
    -Frank.
    
    
    Polar Humenn wrote:
    
    > On Wed, 10 Sep 2003, Frank Siebenlist wrote:
    >
    >
    >>In my mind, the issuer of an assertion vouches for the validity of the
    >>statement, and that the conditions clause should only apply to the
    validity of
    >>the statement as a whole.
    >>
    >>In the case of an xacml response, the obligations seems part of that
    response,
    >>and together constitute the statement. It is this complete statement that
    will
    >>be used by the pep after the validation of the assertion.
    >>
    >>To pull the obligations out and carry them in the saml's conditions
    doesn't seem
    >>to fit that model well.
    >
    >
    > Ah, I got your point. I agree with you. The response carrying within an
    > XACML response should be the captured as whole statement.
    >
    > Were we really considering pulling obligations out into the Conditions?
    >
    > Cheers,
    > -Polar
    >
    >
    >>-Frank.
    >>
    >>
    >>Polar Humenn wrote:
    >>
    >>
    >>>On Wed, 10 Sep 2003, Frank Siebenlist wrote:
    >>>
    >>>
    >>>
    >>>>My feel is that the saml condition is on the assertion level, while the
    xacml
    >>>>obligation is on the decision response level.
    >>>>
    >>>>Does it make sense to have the decision response including the
    obligations live
    >>>>outside of the assertion?
    >>>>If the answer is yes, then that may have answered the question...
    >>>
    >>>
    >>>I'm not quite sure what you mean.
    >>>
    >>>An obligation is part of the decision response. If we use the SAML
    >>>Response to wrap this XACML response, By virtue of being a SAML
    Response,
    >>>does that mean the XACML Response must be an Assertion? So, do you mean
    by
    >>>turning the response into a SAML Assertion that we should strip the
    >>>obligations out and put them some where else?
    >>>
    >>>-Polar
    >>>
    >>>
    >>>
    >>>>-Frank.
    >>>>
    >>>>
    >>>
    >>>
    >>
    >
    
    --
    Frank Siebenlist              franks@mcs.anl.gov
    The Globus Project - Argonne National Laboratory
    
    
    To unsubscribe from this mailing list (and be removed from the roster of
    the OASIS TC), go to
    http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php
    .
    
    
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]