OASIS eXtensible Access Control Markup Language (XACML) TC

RE: Resource sets and resource string semantics

  • 1.  RE: Resource sets and resource string semantics

    Posted 05-15-2001 20:46
    I don't think a PEP can make any assumptions about what kind of queries a
    PDP can answer without querying the PDP, i.e. there are no stupid questions.
    There is also nothing to say that the stuff in http://www.hp.com/* is
    actually a list of files. http://www.hp.com/* might simply be a virtual
    pointer to any resource accessed via http://www.hp.com/. 
    
    You are correct in the clearer reformulation of my question, thanks! However
    the core questions still remain, should the PDP be able to enumerate the
    resources available to a requestor or role given an expression to match
    against resource policy constraints in the PDP. The pattern might be an
    XPath or even a regular expression. The PDP would seem to have several
    options based on its configuration, e.g. reject non-explict patterns,
    enumerate for non-explicit patterns, reply yes to non-explicit patterns if
    the result set is not empty (but don't enumerate) or reply no for the
    converse.
    
    Once again, the enumerating may open other security holes. Should the
    protocol be designed in such a way as to preclude it? It seems to me this
    will be a crucial point of intersection between SAML and XACML.