OASIS eXtensible Access Control Markup Language (XACML) TC

Back to discussions
Expand all | Collapse all

Draft BTG Profile

David Chadwick

David Chadwick11-23-2010 17:08

John Davis

John Davis11-23-2010 19:50

  • 1.  Draft BTG Profile

    Posted 11-23-2010 17:08
      |   view attached

    Attachment(s)

    doc
    XACML BTG profile.doc   36 KB 1 version


  • 2.  Re: [xacml] Draft BTG Profile

    Posted 11-23-2010 19:03 
    

  
  


Hi David,

    
When I try to open this document, I get the message:
    

    "Word cannot start the converter mswrd632.wpc"
    

    
Is there something other than Word to use on this?

    
    Thanks,
    
    Rich


    
David Chadwick wrote:

    4CEBF4A7.3020000@kent.ac.uk" type="cite">Dear
List

    
about a year ago we discussed the standardisation of the Break The
Glass response (see Seth Proctor's message of 17 Dec 2009) and decided
that a profile to standardise the BTG response would be useful.
Unfortunately Seth left Sun before we got around to writing it.

    
Consequently Stijn Lievens and myself from Kent have produced a first
version (attached) for your consideration. I know its not in the
correct format yet, but we can fix that once the technical content has
been agreed.

    
Comments appreciated

    
regards

    
David

    
  
    
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


  • 3.  Re: [xacml] Draft BTG Profile

    Posted 11-23-2010 19:54 
    

  
  


Hi David,

    
Never mind. I got it ok from the email archives on Oasis. Must have
    
been my mail tool messed up.

    
    Thanks,
    
    Rich


    
Rich.Levinson wrote:

    4CEC0FAD.10905@oracle.com" type="cite">
  
  
Hi David,

    
When I try to open this document, I get the message:
    
  
    "Word cannot start the converter mswrd632.wpc"
    
  
    
Is there something other than Word to use on this?

    
    Thanks,
    
    Rich


    
David Chadwick wrote:
  
    4CEBF4A7.3020000@kent.ac.uk" type="cite">Dear
List

    
about a year ago we discussed the standardisation of the Break The
Glass response (see Seth Proctor's message of 17 Dec 2009) and decided
that a profile to standardise the BTG response would be useful.
Unfortunately Seth left Sun before we got around to writing it.

    
Consequently Stijn Lievens and myself from Kent have produced a first
version (attached) for your consideration. I know its not in the
correct format yet, but we can fix that once the technical content has
been agreed.

    
Comments appreciated

    
regards

    
David

    
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


  • 4.  RE: [xacml] Draft BTG Profile

    Posted 11-23-2010 19:50
      |   view attached

    Attachment(s)

    doc
    HL7 Emergency Access Abstract.doc   104 KB 1 version


  • 5.  RE: [xacml] Draft BTG Profile

    Posted 11-23-2010 21:57


  • 6.  Re: [xacml] Draft BTG Profile

    Posted 11-23-2010 22:05 
    Hi Martin,

      Please use the TC comment list to provide any/all feedback. 

    Thanks!

    Mary

    

    Mary P McRae
    Director, Standards Development
    Technical Committee Administrator
    Member Section Administrator
    OASIS: Advancing open standards for the information society
    phone: 1.603.232.9090

    Standards are like parachutes: they work best when they're open.




    


    On Nov 23, 2010, at 4:55 PM, Smith, Martin wrote:




  • 7.  Re: [xacml] Draft BTG Profile

    Posted 11-25-2010 14:29 
    Hi Martin

Given your two use cases below I would say that

1. is similar to our use case, but the solution you propose is somewhat
different to the one proposed in our BTG draft profile. The difference
appears to be as follows
a) you require the user to assert a particular attribute that it is not
normal to assert. The policy rule will grant access to the resource if
this "exceptional" attribute is asserted by the user
b) we only require the user to assert a normal attribute, but to request
a special permission "BTG". The BTG permission is granted for any users
who have this normal attribute. Once the BTG permission has been
granted, the state of the system changes (equivalent to the glass being
broken on the fire door) to BTG=true. The policy rule says that users
with normal attributes are granted access to the resource if BTG=true
(so they are normally denied access until the glass is broken).

2. This is out of scope of BTG and the draft profile is not trying to
address this aspect at all

regards

david


On 23/11/2010 21:55, Smith, Martin wrote:
> (Note―I don’t think this comment will reach the list as I am an 
> observer, not a member. If one of you--John/David―is a Member an wants 
> to forward this message to the list, please do so.)
> 
> In the contexts that we (in my part of DHS) have been considering 
> similar issues, we would basically agree that there are two important 
> “use cases” to cover, but we use slightly different terms, i.e.,
> 
> 1. Some access attributes may allow the requestor to assert them 
> (perhaps from a pick list of “authorized purposes” for the info may be 
> sought; perhaps with a warning (“You are asserting an authorized purpose 
> for accessing this info. Your access may be audited and legal action 
> taken if it is determined that the use was fraudulent or unauthorized.”) 
> For the BTG scenario, the assertion of “FIRE!” may be the ONLY access 
> attribute required, but of course the asserted “authorized purpose” 
> attribute might also be only one of several required attributes: 
> “JobRole=PassportOffice Clerk AND AuthorizedPurpose=”Validating 
> Application”.
> 
> 2. Access may also be conditional on some environmental attribute 
> obtained by the PDP or whatever at rule-evaluation time (and not 
> associated with or provisioned from the requestor’s credentials or the 
> requested resource’s metadata or value.) Examples: “CurrentThreatLevel; 
> “EmergencyDeclared”.
> 
> Martin
> 
> **/Martin F. Smith/**
> Director, National Security Systems
> US Department of Homeland Security
> NAC 19-204-47
> (202) 447-3743 desk
> (202) 441-9731 mobile
> (800) 417-6930 page
> 
> ------------------------------------------------------------------------
> 
> *From:*xacml-return-2257-martin.smith=dhs.gov@lists.oasis-open.org 
> [mailto:xacml-return-2257-martin.smith=dhs.gov@lists.oasis-open.org] *On 
> Behalf Of *Davis, John M.
> *Sent:* Tuesday, November 23, 2010 2:49 PM
> *To:* David Chadwick; xacml
> *Subject:* RE: [xacml] Draft BTG Profile
> 
> David,
> 
> 1. BTG is a common healthcare concept. The Draft BTG profile seems to 
> describe a concept somewhat different. I've included a short paper which 
> provides definitions, descriptions and requirements for BTG and 
> "emergency access" as two distinct and different concepts within the 
> healthcare domain. Here is a short description from HL7's Access Control 
> Service Functional Model:
> 
> /"Break‐glass is named after the glass panel that protects a fire alarm. 
> Everyone in the building is authorized to use the fire alarm to report a 
> fire, but the ramifications of misuse are substantial. The fragile glass 
> panel is sufficient to avoid accidental triggering, and it forces the 
> user to stop and think/
> 
> /before acting. In the context of this document, a “Break Glass” 
> scenario involves a situation where the access control policy will 
> authorize the user to access certain information or functionality, but 
> only after the user attests that one or more relevant conditions exist."/
> 
> 2. As described in the draft profile, the most important concept is that 
> the profile requires a BTG permission. This does not match the notion of 
> BTG as used in healthcare which is much more like a user controlled 
> "gateway" much such as a fire alarm. I'll explain by means of a use case:
> 
> In this healthcare scenario, a user is authorized to access patient 
> records (has appropriate permissions). Some records (e.g., VIP) are 
> sequestered behind a BTG barrier. A user attempting to access a VIP 
> record will be presented with a warning banner indicating that the 
> record is protected and that access will subject the user to increased 
> auditing (and perhaps other controls such as notifications to system 
> admins). In any case, the requester has two options; 1) abort or 2) 
> continue. If 2) is chosen the record is presented. The distinguishing 
> characteristic is that no elevation of user permissions and no special 
> "BTG permission" is required, the user is already in the "clinician" 
> group authorized to view records. This is analogous to students in a 
> high school. They are all members of a group who are "authorized" to 
> pull the fire alarm. Doing so falsely will subject the student to 
> discipline but the student does not need the teachers authorization to 
> pull the alarm when conditions warrant.
> 
> This is distinguished from emergency access of the first kind (normal 
> emergency room operations). In emergency access #1, the context of the 
> emergency (significant harm or risk of death to the patient) needs to be 
> presented so that the access control system evaluates the appropriate 
> policy set (e.g. A clinician at one hospital may not be authorized 
> access to records at another under normal conditions of “treatment”). In 
> emergency access #1, the XSPA SAML attribute assertion profile provides 
> an "Emergency Access" purpose of use attribute. This purpose of use 
> allows the PDP to select and evaluate the appropriate policy for the 
> "emergency" condition as opposed to normal "treatment". Again, it is not 
> the user permissions that are evaluated but the fundamental context of 
> the policy environment.
> 
> There is emergency access of the second kind which is a variation of 
> emergency access #1. In emergency access #2, the requester makes the 
> request for information under the purpose of use of treatment and 
> clinical role. Authorization to view the record under these conditions 
> is denied (perhaps an underlying privacy policy is being enforced). In 
> response the clinician responds by elevating permissions by asserting 
> the “emergency role” in the XSPA SAML Assertion profile thereby 
> elevating privileges under the same POU of “treatment” and overriding 
> the original policy decision. In our work in HL7 we have found the 
> “emergency” role/permission unnecessary as POU has the added benefit of 
> putting in place (and managing) an emergency context vice a simple role. 
> Emergency #2 is probably closer to what is intended by the Draft BTG 
> profile but is significantly different from what is described above.
> 
> I believe additional discussion is warranted on the fundamental concepts 
> of the Draft BTG profile, first to ensure common understanding of the 
> different forms of access, the uses of policy, purpose of use and 
> permission and second to establish sound use cases that will 
> sufficiently clarify the purpose and conditions under which use of such 
> a profile is warranted.
> 
> Regards, Mike Davis, CISSP
> 
> Department of Veterans Affairs
> 
> Office of Health Information
> 
> Security Architect
> 
> 760-632-0294
> 
> 
    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


  • 8.  Re: [xacml] Draft BTG Profile

    Posted 11-25-2010 14:16 
    Hi John

thanks for your long explanation of the HL7 position.

Our BTG work has been done in conjunction with Porto's main hospital in
Portugal, along with the University of Porto. So it would appear that
some Europeans at least have a different interpretation of BTG to the US
work in HL7.

We have published a number of papers on BTG access in medical situations
and I will gladly send them to you if you wish.

The fundamental concept is this:

1. For any given resource, there are three classes of user as specified
in the access control policy
a) those who have permission to access the resource
b) those who are denied access to the resource
c) those who are normally denied access but may choose to BTG and gain
access if they deem it appropriate.

I would say that class c) users exactly fit your VIP record access
example below, and this is the class of user who are being dealt with in
this profile.

The profile is a generic profile and is not tied to health care
resources. It can be used in any scenario where they have the above
three classes of user

regards

David


On 23/11/2010 19:49, Davis, John M. wrote:
> David,
> 
> 1. BTG is a common healthcare concept. The Draft BTG profile seems to 
> describe a concept somewhat different. I've included a short paper which 
> provides definitions, descriptions and requirements for BTG and 
> "emergency access" as two distinct and different concepts within the 
> healthcare domain. Here is a short description from HL7's Access Control 
> Service Functional Model:
> 
> /"Break‐glass is named after the glass panel that protects a fire alarm. 
> Everyone in the building is authorized to use the fire alarm to report a 
> fire, but the ramifications of misuse are substantial. The fragile glass 
> panel is sufficient to avoid accidental triggering, and it forces the 
> user to stop and think/
> 
> /before acting. In the context of this document, a “Break Glass” 
> scenario involves a situation where the access control policy will 
> authorize the user to access certain information or functionality, but 
> only after the user attests that one or more relevant conditions exist."/
> 
> 2. As described in the draft profile, the most important concept is that 
> the profile requires a BTG permission. This does not match the notion of 
> BTG as used in healthcare which is much more like a user controlled 
> "gateway" much such as a fire alarm. I'll explain by means of a use case:
> 
> In this healthcare scenario, a user is authorized to access patient 
> records (has appropriate permissions). Some records (e.g., VIP) are 
> sequestered behind a BTG barrier. A user attempting to access a VIP 
> record will be presented with a warning banner indicating that the 
> record is protected and that access will subject the user to increased 
> auditing (and perhaps other controls such as notifications to system 
> admins). In any case, the requester has two options; 1) abort or 2) 
> continue. If 2) is chosen the record is presented. The distinguishing 
> characteristic is that no elevation of user permissions and no special 
> "BTG permission" is required, the user is already in the "clinician" 
> group authorized to view records. This is analogous to students in a 
> high school. They are all members of a group who are "authorized" to 
> pull the fire alarm. Doing so falsely will subject the student to 
> discipline but the student does not need the teachers authorization to 
> pull the alarm when conditions warrant.
> 
> This is distinguished from emergency access of the first kind (normal 
> emergency room operations). In emergency access #1, the context of the 
> emergency (significant harm or risk of death to the patient) needs to be 
> presented so that the access control system evaluates the appropriate 
> policy set (e.g. A clinician at one hospital may not be authorized 
> access to records at another under normal conditions of “treatment”). In 
> emergency access #1, the XSPA SAML attribute assertion profile provides 
> an "Emergency Access" purpose of use attribute. This purpose of use 
> allows the PDP to select and evaluate the appropriate policy for the 
> "emergency" condition as opposed to normal "treatment". Again, it is not 
> the user permissions that are evaluated but the fundamental context of 
> the policy environment.
> 
> There is emergency access of the second kind which is a variation of 
> emergency access #1. In emergency access #2, the requester makes the 
> request for information under the purpose of use of treatment and 
> clinical role. Authorization to view the record under these conditions 
> is denied (perhaps an underlying privacy policy is being enforced). In 
> response the clinician responds by elevating permissions by asserting 
> the “emergency role” in the XSPA SAML Assertion profile thereby 
> elevating privileges under the same POU of “treatment” and overriding 
> the original policy decision. In our work in HL7 we have found the 
> “emergency” role/permission unnecessary as POU has the added benefit of 
> putting in place (and managing) an emergency context vice a simple role. 
> Emergency #2 is probably closer to what is intended by the Draft BTG 
> profile but is significantly different from what is described above.
> 
> I believe additional discussion is warranted on the fundamental concepts 
> of the Draft BTG profile, first to ensure common understanding of the 
> different forms of access, the uses of policy, purpose of use and 
> permission and second to establish sound use cases that will 
> sufficiently clarify the purpose and conditions under which use of such 
> a profile is warranted.
> 
> Regards, Mike Davis, CISSP
> 
> Department of Veterans Affairs
> 
> Office of Health Information
> 
> Security Architect
> 
> 760-632-0294
> 
> 
    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


  • 9.  Re: [xacml] Draft BTG Profile

    Posted 11-24-2010 08:49 
    On Tue, 2010-11-23 at 17:06 +0000, David Chadwick wrote:
> Dear List
> 
> about a year ago we discussed the standardisation of the Break The Glass 
> response (see Seth Proctor's message of 17 Dec 2009) and decided that a 
> profile to standardise the BTG response would be useful. Unfortunately 
> Seth left Sun before we got around to writing it.
> 
> Consequently Stijn Lievens and myself from Kent have produced a first 
> version (attached) for your consideration. I know its not in the correct 
> format yet, but we can fix that once the technical content has been agreed.
> 
> Comments appreciated

Hi David,

I have some questions related to the proposed approach:

1.) You propose to introduce a new status code. Why not simply use
Advice instead? It seems a bit superfluous to add new elements to the
standard when there are suitable elements in the standard already.

2.) You propose to introduce a new element called


  • 10.  Re: [xacml] Draft BTG Profile

    Posted 11-25-2010 14:39 
    Hi Ludwig

answers below

On 24/11/2010 08:48, Ludwig Seitz wrote:
> On Tue, 2010-11-23 at 17:06 +0000, David Chadwick wrote:
>> Dear List
>>
>> about a year ago we discussed the standardisation of the Break The Glass
>> response (see Seth Proctor's message of 17 Dec 2009) and decided that a
>> profile to standardise the BTG response would be useful. Unfortunately
>> Seth left Sun before we got around to writing it.
>>
>> Consequently Stijn Lievens and myself from Kent have produced a first
>> version (attached) for your consideration. I know its not in the correct
>> format yet, but we can fix that once the technical content has been agreed.
>>
>> Comments appreciated
>
> Hi David,
>
> I have some questions related to the proposed approach:
>
> 1.) You propose to introduce a new status code. Why not simply use
> Advice instead? It seems a bit superfluous to add new elements to the
> standard when there are suitable elements in the standard already.

the whole purpose of standardising the status code is so that different 
implementations can interwork without having to find out what the status 
code or Advice element is that is being set by a particular PDP.

>
> 2.) You propose to introduce a new element called


  • 11.  Re: [xacml] Draft BTG Profile

    Posted 11-25-2010 15:06 
    On Thu, 2010-11-25 at 14:36 +0000, David Chadwick wrote:
> Hi Ludwig
> 
> answers below
...
> >
> > Hi David,
> >
> > I have some questions related to the proposed approach:
> >
> > 1.) You propose to introduce a new status code. Why not simply use
> > Advice instead? It seems a bit superfluous to add new elements to the
> > standard when there are suitable elements in the standard already.
> 
> the whole purpose of standardising the status code is so that different 
> implementations can interwork without having to find out what the status 
> code or Advice element is that is being set by a particular PDP.
> 

Yes but you can achieve the same effect by just standardizing Advice-ids
in a profile, without adding new elements to the XACML-schema and
without requiring new behavior.

> > 2.) You propose to introduce a new element called


  • 12.  Re: [xacml] Draft BTG Profile

    Posted 11-25-2010 15:30 
    I agree with Ludwig. An Advice with a standard ID defined in a profile allows for interoperability. The PEP can enforce that the caller presents the necessary and expected attributes in order to perform the BTG. In addition the PEP should LOG the BTG operation so that an alert can be initiated, auditors will be advised, etc.

Doron Grinstein
CEO
BiTKOO



On Nov 25, 2010, at 7:06 AM, "Ludwig Seitz"


  • 13.  Re: [xacml] Draft BTG Profile

    Posted 11-25-2010 18:00 
    I dont see the difference between standardising a status code in a 
profile and standardising an Advice in a profile, except for one thing

Advice is not available to XACMLv2 implementations

regards

david



On 25/11/2010 15:29, Doron Grinstein wrote:
> I agree with Ludwig. An Advice with a standard ID defined in a
> profile allows for interoperability. The PEP can enforce that the
> caller presents the necessary and expected attributes in order to
> perform the BTG. In addition the PEP should LOG the BTG operation so
> that an alert can be initiated, auditors will be advised, etc.
>
> Doron Grinstein CEO BiTKOO
>
>
>
> On Nov 25, 2010, at 7:06 AM, "Ludwig Seitz"


  • 14.  Re: [xacml] Draft BTG Profile

    Posted 11-26-2010 08:54 
    On Thu, 2010-11-25 at 17:57 +0000, David Chadwick wrote:
> I dont see the difference between standardising a status code in a 
> profile and standardising an Advice in a profile, except for one thing
> 

There is another:

To standardize an Advice Id you don't need to change the core XACML
standard. To standardize a new status code you need to change the
standard.

> Advice is not available to XACMLv2 implementations

Since your approach necessitates a change in core standard, backwards
compatibility is gone either way, so I don't see a big drawback with
using v3 specific stuff (and not changing the core v3 standard).

/Ludwig

-- 
Ludwig Seitz, PhD             |   Axiomatics AB
Training & Development        |   Skeppsbron 40
Phone: +46 (0)760 44 22 91    |   SE-111 30 Stockholm
Mail: ludwig@axiomatics.com   |   Sweden


  • 15.  Re: [xacml] Draft BTG Profile

    Posted 11-26-2010 16:55 
    Hi Ludwig

On 26/11/2010 08:53, Ludwig Seitz wrote:
> On Thu, 2010-11-25 at 17:57 +0000, David Chadwick wrote:
>> I dont see the difference between standardising a status code in a
>> profile and standardising an Advice in a profile, except for one thing
>>
>
> There is another:
>
> To standardize an Advice Id you don't need to change the core XACML
> standard. To standardize a new status code you need to change the
> standard.


This is because the full list of codes are listed in Section B.9 (or 
B.8), yes?

But what is the standard defined behaviour for a PEP that receives an 
unknown status code? Is this documented anywhere? Probably not. Will 
they crash? Or will they ignore it? Most likely the latter.

So if a profile defines a new status code, whilst from a pure-ist point 
of view this should be in the base standard and not in a profile, 
because the standard does not allow extensibility of this feature, in 
practical terms it wont actually cause any problems to implementations 
will it?

I can accept that Advice is the Correct thing to do for v3, but what is 
the correct solution for v2?

regards

David

>
>> Advice is not available to XACMLv2 implementations
>
> Since your approach necessitates a change in core standard, backwards
> compatibility is gone either way, so I don't see a big drawback with
> using v3 specific stuff (and not changing the core v3 standard).
>
> /Ludwig
>

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************


  • 16.  Re: [xacml] Draft BTG Profile

    Posted 11-26-2010 10:26 
    Hi David,

There are a couple differences. Advice has an explicit expression syntax 
in the XACML policy schema, so the behavior of it can be controlled in 
the policy. The status code facility is much more limited in the spec. 
Only a couple of error codes are defined and there are no standard 
expressions to control how the status detail is constructed. The status 
code mechanism was defined before I joined the TC, so I don't know the 
original motivation behind it, but I have always viewed it as a way for 
an implementation to signal errors in the processing. It's not intended 
to be used as part of normal policy decisioning. That is what advice is for.

Best regards,
Erik


On 2010-11-25 18:57, David Chadwick wrote:
> I dont see the difference between standardising a status code in a 
> profile and standardising an Advice in a profile, except for one thing
>
> Advice is not available to XACMLv2 implementations
>
> regards
>
> david
>
>
>
> On 25/11/2010 15:29, Doron Grinstein wrote:
>> I agree with Ludwig. An Advice with a standard ID defined in a
>> profile allows for interoperability. The PEP can enforce that the
>> caller presents the necessary and expected attributes in order to
>> perform the BTG. In addition the PEP should LOG the BTG operation so
>> that an alert can be initiated, auditors will be advised, etc.
>>
>> Doron Grinstein CEO BiTKOO
>>
>>
>>
>> On Nov 25, 2010, at 7:06 AM, "Ludwig Seitz"


  • 17.  Re: [xacml] Draft BTG Profile

    Posted 11-26-2010 17:07 
    Yes, that is the original intent as I recall it.

b

On Nov 26, 2010, at 2:26 AM, Erik Rissanen wrote:

> The status code mechanism was defined before I joined the TC, so I don't know the original motivation behind it, but I have always viewed it as a way for an implementation to signal errors in the processing. It's not intended to be used as part of normal policy decisioning.


  • 18.  Re: [xacml] Draft BTG Profile

    Posted 11-25-2010 17:08 
    Hi Ludwig

The model you have appears to be that each user must BTG himself, and 
then he is given the BTG attribute after agreeing to this. But this is 
not the model we have, and it is not the model of BTG in general (e.g. a 
fire door in a hotel).

Our model is state based, ie. there is a BTG state that is initially 
false (corresponding to unbroken glass) and can be set to true 
(corresponding to broken glass) by a defined class of user in the policy.

Another class of user (typically a manager) can reset the state to false 
(ie repair the glass).

this model is much more general and flexible since it can be applied to 
individuals (as in your case) or to roles (e.g. doctors) or to any 
combination of attribute holding subjects. Furthermore the glass state 
can be applied to a single resource or a group of resources. To a single 
action or a group of actions. You can find details in last years ACSAC 
conference


http://www.acsac.org/2009/openconf/modules/request.php?module=oc_proceedings&action=summary.php&a=Accept&id=135

regards

david


On 25/11/2010 15:05, Ludwig Seitz wrote:
> On Thu, 2010-11-25 at 14:36 +0000, David Chadwick wrote:
>> Hi Ludwig
>>
>> answers below
> ...
>>>
>>> Hi David,
>>>
>>> I have some questions related to the proposed approach:
>>>
>>> 1.) You propose to introduce a new status code. Why not simply use
>>> Advice instead? It seems a bit superfluous to add new elements to the
>>> standard when there are suitable elements in the standard already.
>>
>> the whole purpose of standardising the status code is so that different
>> implementations can interwork without having to find out what the status
>> code or Advice element is that is being set by a particular PDP.
>>
>
> Yes but you can achieve the same effect by just standardizing Advice-ids
> in a profile, without adding new elements to the XACML-schema and
> without requiring new behavior.
>
>>> 2.) You propose to introduce a new element called


  • 19.  Re: [xacml] Draft BTG Profile

    Posted 11-26-2010 08:33 
    On Thu, 2010-11-25 at 17:05 +0000, David Chadwick wrote:
> Hi Ludwig
> 
> The model you have appears to be that each user must BTG himself, and 
> then he is given the BTG attribute after agreeing to this. But this is 
> not the model we have, and it is not the model of BTG in general (e.g. a 
> fire door in a hotel).

You claim your model represents the model of BTG in general. Can you
support these claims?

In a previous mail Mike Davis seems to suggest your model is different
from HL7's requirements, and currently the requirements from HL7 are as
close as it gets for "a model of BTG in general".

> Our model is state based, ie. there is a BTG state that is initially 
> false (corresponding to unbroken glass) and can be set to true 
> (corresponding to broken glass) by a defined class of user in the policy.
> 
> Another class of user (typically a manager) can reset the state to false 
> (ie repair the glass).

I see no difference between a BTG state and a BTG attribute. Could you
please explain where you see a difference?

> this model is much more general and flexible since it can be applied to 
> individuals (as in your case) or to roles (e.g. doctors) or to any 
> combination of attribute holding subjects. 
>
> Furthermore the glass state 
> can be applied to a single resource or a group of resources. To a single 
> action or a group of actions. You can find details in last years ACSAC 
> conference
> 

I'm all in favor of a flexible BTG model, but from what you present here
I fail to see how that cannot be done within the current XACML (v3) core
standard. 
There is absolutely no requirement for a BTG attribute to be associated
with a specific subject or resource. What this comes down to, is a
question of attribute management, and that's outside the scope of XACML.
(note that I think BTG profile should nevertheless give recommendations
about how to do that).

My point remains: You seem to derive the necessity to make changes to
the core standard from your BTG model. I am not convinced they are
necessary to realize your BTG model.

There is a more important problem though: Before coming up with
solutions for BTG, we need a good definition of what the requirements
for BTG really are. Right now we are starting with a solution and are
trying to make the requirements fit, and that seems like a bad approach
to me.

/Ludwig



-- 
Ludwig Seitz, PhD             |   Axiomatics AB
Training & Development        |   Skeppsbron 40
Phone: +46 (0)760 44 22 91    |   SE-111 30 Stockholm
Mail: ludwig@axiomatics.com   |   Sweden


  • 20.  Re: [xacml] Draft BTG Profile

    Posted 11-26-2010 17:12 
    Hi Ludwig

On 26/11/2010 08:32, Ludwig Seitz wrote:
> On Thu, 2010-11-25 at 17:05 +0000, David Chadwick wrote:
>> Hi Ludwig
>>
>> The model you have appears to be that each user must BTG himself, and
>> then he is given the BTG attribute after agreeing to this. But this is
>> not the model we have, and it is not the model of BTG in general (e.g. a
>> fire door in a hotel).
>
> You claim your model represents the model of BTG in general. Can you
> support these claims?

Yes in so far as it has been implemented and we have not yet come across 
any BTG requirement that it cannot satisfy. So in that respect it is as 
general as the HL7 model (which is not a universal standard either)


>
> In a previous mail Mike Davis seems to suggest your model is different
> from HL7's requirements, and currently the requirements from HL7 are as
> close as it gets for "a model of BTG in general".
>
>> Our model is state based, ie. there is a BTG state that is initially
>> false (corresponding to unbroken glass) and can be set to true
>> (corresponding to broken glass) by a defined class of user in the policy.
>>
>> Another class of user (typically a manager) can reset the state to false
>> (ie repair the glass).
>
> I see no difference between a BTG state and a BTG attribute. Could you
> please explain where you see a difference?

Clearly none if the attribute holds the state!
But in your attribute model you did not say how the attribute value was 
set to different values. This was added in our model.


>
>> this model is much more general and flexible since it can be applied to
>> individuals (as in your case) or to roles (e.g. doctors) or to any
>> combination of attribute holding subjects.
>>
>> Furthermore the glass state
>> can be applied to a single resource or a group of resources. To a single
>> action or a group of actions. You can find details in last years ACSAC
>> conference
>>
>
> I'm all in favor of a flexible BTG model, but from what you present here
> I fail to see how that cannot be done within the current XACML (v3) core
> standard.

This is not the issue. The issue is, can we have a standard defined way 
of doing it. You suggest using Advice to signal BTG, so I say we should 
have a profile to standardise the contents of the BTG Advice. But I also 
request a standard way of doing it in XACMLv2 as well, and Advice cannot 
do that.


> There is absolutely no requirement for a BTG attribute to be associated
> with a specific subject or resource. What this comes down to, is a
> question of attribute management, and that's outside the scope of XACML.

Actually it is in a twilight world, since you have PIPs which manage 
attributes, but you dont describe how they work. So you sort of 
acknowledge that attribute management is needed, but then dont say how 
to do it. What we are wanting to do, is for a specific type of access 
control - BTG - is allow the XACML infrastructure (context handler, 
PIPs, obligation service etc) to manage the BTG attribute/state so that 
applications dont need to. But in order to do this we need to 
standardise more of the protocol between the PEP and the XACML 
infrastructure so that BTG can be handled by the infrastructure, thereby 
reducing the load on applications.

> (note that I think BTG profile should nevertheless give recommendations
> about how to do that).
>

which is what we tried to do in a general way in the draft profile.


> My point remains: You seem to derive the necessity to make changes to
> the core standard from your BTG model. I am not convinced they are
> necessary to realize your BTG model.

Clearly no changes are needed to XACML if you dump all the work on the 
PEP and the application. This is the status quo today. What we would 
like to achieve is that the application independent code can take some 
of the burden off the PEP. This is the motivation for the profile.

>
> There is a more important problem though: Before coming up with
> solutions for BTG, we need a good definition of what the requirements
> for BTG really are. Right now we are starting with a solution and are
> trying to make the requirements fit, and that seems like a bad approach
> to me.

If you care to read our ACSAC paper you will find a set of requirement 
there which were derived from the hospital. So we started with a set of 
requirements and derived an application independent way of satisfying them.

regards

David

>
> /Ludwig
>
>
>

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************


  • 21.  Re: [xacml] Draft BTG Profile

    Posted 11-28-2010 20:44 
    

  
  


Hi David and Ludwig, et al,

    
I have been following this discussion and it seems to simply revolve
around
    
Policy definitions that Deny access under a given set of conditions,
but will
    
Permit access if there is that given set of conditions PLUS there is a
BTG
    
indicator that can be checked and if its value is
"glass-has-been-broken"
    
(BTG = true), then access is permitted:
    

      
  
    • (given-conditions = true) AND (BTG = false) then Deny
      • 
  
        
    
      • + send back BTG as reason for Deny, and indicating
        
obligations PEP has to tell user reason for denial and
        
options user has to get access
        • 
  
      
  
    • (given-conditions = true) AND (BTG = true ) then Permit
      • 
  
        
    
      • + send back BTG indicating obligations PEP must enforce
        
when in BTG = true state
        • 
  
      

    
I agree it wouild be useful to have a profile describing how to
implement
    
this using standard XACML PolicySets, which, it seems to me can be
    
done in some fairly straight-forward manners using designated URIs for
    
AttributeIds and ObligationIds, the semantics of which can be
implemented
    
by the PIPs and PEPs.
    

    For example, if there is a special AttributeId = "...btg",
and a trusted
    
Issuer of this attribute, then the Policy can look for it within the
context
    
of the request.
    
Similarly, a Deny response could use a profile-specific status-code or
    
just some designated ObligationId to indicate there are
AttributeAssignments
    
with AttributeId URIs indicating what the PEP is supposed to do.
    

    
Bottom line is I would want to understand what cannot be done w XACML
2.0 with
    
a guiding profile using Attributes and Obligations, before defining
alternate means, which
    
might eventually prove to have needlessly added complexity to the specs.

    
Currently, the XACML 2.0 spec indicates that a PEP should only make
specific decisions
    
if it understands any Obligations that are returned with the decision,
so it seems to me that
    
a trusted Attribute with the BTG state plus a set of appropriate
Obligations should be
    
sufficient for this use case.

    
    Thanks,
    
    Rich


    
David Chadwick wrote:

    4CEFE9B7.2010701@kent.ac.uk" type="cite">Hi
Ludwig

    
On 26/11/2010 08:32, Ludwig Seitz wrote:
    
  
    On Thu, 2010-11-25 at 17:05 +0000, David
Chadwick wrote:
    Hi Ludwig

    
The model you have appears to be that each user must BTG himself, and
    
then he is given the BTG attribute after agreeing to this. But this is
    
not the model we have, and it is not the model of BTG in general (e.g.
a
    
fire door in a hotel).

    
You claim your model represents the model of BTG in general. Can you
    
support these claims?
    
  

    
Yes in so far as it has been implemented and we have not yet come
across any BTG requirement that it cannot satisfy. So in that respect
it is as general as the HL7 model (which is not a universal standard
either)


    
  

    
In a previous mail Mike Davis seems to suggest your model is different
    
from HL7's requirements, and currently the requirements from HL7 are as
    
close as it gets for "a model of BTG in general".

    Our model is state based, ie. there is a
BTG state that is initially
    
false (corresponding to unbroken glass) and can be set to true
    
(corresponding to broken glass) by a defined class of user in the
policy.

    
Another class of user (typically a manager) can reset the state to
false
    
(ie repair the glass).

    
I see no difference between a BTG state and a BTG attribute. Could you
    
please explain where you see a difference?
    
  

    
Clearly none if the attribute holds the state!
    
But in your attribute model you did not say how the attribute value was
set to different values. This was added in our model.


    
  

    this model is much more general and
flexible since it can be applied to
    
individuals (as in your case) or to roles (e.g. doctors) or to any
    
combination of attribute holding subjects.

    
Furthermore the glass state
    
can be applied to a single resource or a group of resources. To a
single
    
action or a group of actions. You can find details in last years ACSAC
    
conference


    
I'm all in favor of a flexible BTG model, but from what you present
here
    
I fail to see how that cannot be done within the current XACML (v3)
core
    
standard.
    
  

    
This is not the issue. The issue is, can we have a standard defined way
of doing it. You suggest using Advice to signal BTG, so I say we should
have a profile to standardise the contents of the BTG Advice. But I
also request a standard way of doing it in XACMLv2 as well, and Advice
cannot do that.


    
  
    There is absolutely no requirement for a BTG
attribute to be associated
    
with a specific subject or resource. What this comes down to, is a
    
question of attribute management, and that's outside the scope of
XACML.
    
  

    
Actually it is in a twilight world, since you have PIPs which manage
attributes, but you dont describe how they work. So you sort of
acknowledge that attribute management is needed, but then dont say how
to do it. What we are wanting to do, is for a specific type of access
control - BTG - is allow the XACML infrastructure (context handler,
PIPs, obligation service etc) to manage the BTG attribute/state so that
applications dont need to. But in order to do this we need to
standardise more of the protocol between the PEP and the XACML
infrastructure so that BTG can be handled by the infrastructure,
thereby reducing the load on applications.

    
  
    (note that I think BTG profile should
nevertheless give recommendations
    
about how to do that).

    
  

    
which is what we tried to do in a general way in the draft profile.


    
  
    My point remains: You seem to derive the
necessity to make changes to
    
the core standard from your BTG model. I am not convinced they are
    
necessary to realize your BTG model.
    
  

    
Clearly no changes are needed to XACML if you dump all the work on the
PEP and the application. This is the status quo today. What we would
like to achieve is that the application independent code can take some
of the burden off the PEP. This is the motivation for the profile.

    
  

    
There is a more important problem though: Before coming up with
    
solutions for BTG, we need a good definition of what the requirements
    
for BTG really are. Right now we are starting with a solution and are
    
trying to make the requirements fit, and that seems like a bad approach
    
to me.
    
  

    
If you care to read our ACSAC paper you will find a set of requirement
there which were derived from the hospital. So we started with a set of
requirements and derived an application independent way of satisfying
them.

    
regards

    
David

    
  

    
/Ludwig


  • 22.  Re: [xacml] Draft BTG Profile

    Posted 11-29-2010 12:24 
    Hi Rich

On 28/11/2010 20:41, Rich.Levinson wrote:
> Hi David and Ludwig, et al,
>
> I have been following this discussion and it seems to simply revolve around
> Policy definitions that Deny access under a given set of conditions,

and state information. It is important to bear in mind which element is 
updating the BTG state (or attribute).

If the PDP understands that BTG is a special attribute (or state 
variable) then it can act in a special way when it is mentioned.

If the PDP does not understand BTG then no changes are needed to the 
XACML specification (scenario iii) below).

There are 3 scenarios, namely

1) PDP understands BTG and keeps the BTG state
ii) PDP understands BTG but does not keep the state
iii) PDP does not understand BTG

I believe that your description below is addressing scenario ii) only 
(correct me if I am wrong)

  but
> will
> Permit access if there is that given set of conditions PLUS there is a BTG
> indicator that can be checked and if its value is "glass-has-been-broken"
> (BTG = true), then access is permitted:
>
>     * (given-conditions = true) AND (BTG = false) then Deny
>           o + send back BTG as reason for Deny, and indicating
>             obligations PEP has to tell user reason for denial and
>             options user has to get access

Rather I would say that these obligations are future obligations that 
the PEP must enforce if the user decides to BTG. If the user does not 
BTG, then no obligation enforcement is necessary. But if the user does 
BTG, then the state has to be changed by the PEP, and it is the changing 
of the state that requires these obligations to be enforced. If they 
cannot be enforced the state should not be changed. E.g. If the 
obligation says to log this and email the manager, and the PEP is not 
able to do this, then the glass should not be broken, since no-one can 
be informed about it and the user will not have any explaining to do 
later. (Note that in our design we have the concept of Fallback 
obligations which are to be performed if the primary obligations cannot 
be, in order to try to address this issue, but this is a second level 
issue to the current problem.)

>     * (given-conditions = true) AND (BTG = true ) then Permit
>           o + send back BTG indicating obligations PEP must enforce
>             when in BTG = true state

This is a very interesting take on the scenario. What you are suggesting 
here is that the BTG obligations should only be enforced when the user 
actually exits the hotel through the firedoor. What I am suggesting 
above is that the obligations are enforced when the user breaks the 
glass, regardless of whether he decides to subsequently exit the hotel 
or not. This is an interesting conceptual point that should be discussed 
further, because clearly it effects which obligations should be enforced 
when. It also effects how many times the obligations are enforced. In 
your scenario they are enforced for everyone who subsequently leaves the 
hotel by the firedoor, in my scenario they are only enforced on the 
person who breaks the glass. This again is an interesting conceptual 
point. If I exit a hotel via an open fire door, should I have to explain 
this later to someone. If I view a patient record, which is for say a 
VIP and someone has previously broken the glass for me, should I have to 
explain this later. If I break the glass on a VIP record but I do not 
actually view the record, should I have to explain this later to someone?


>
> I agree it wouild be useful to have a profile describing how to implement
> this using standard XACML PolicySets, which, it seems to me can be
> done in some fairly straight-forward manners using designated URIs for
> AttributeIds and ObligationIds, the semantics of which can be implemented
> by the PIPs and PEPs.
>
>     For example, if there is a special AttributeId = "...btg", and a trusted
>     Issuer of this attribute, then the Policy can look for it within the
>     context
>     of the request.
>     Similarly, a Deny response could use a profile-specific status-code or
>     just some designated ObligationId to indicate there are
>     AttributeAssignments
>     with AttributeId URIs indicating what the PEP is supposed to do.
>
> Bottom line is I would want to understand what cannot be done w XACML
> 2.0 with
> a guiding profile using Attributes and Obligations, before defining
> alternate means, which
> might eventually prove to have needlessly added complexity to the specs.
>
> Currently, the XACML 2.0 spec indicates that a PEP should only make
> specific decisions
> if it understands any Obligations that are returned with the decision,
> so it seems to me that
> a trusted Attribute with the BTG state plus a set of appropriate
> Obligations should be
> sufficient for this use case.

You are most probably correct. The reason I proposed Consequences in our 
draft instead of Obligations, was that they were future obligations on a 
subsequent action rather than the current one, whereas with your model 
above there is no need for future actions since you perform the 
obligations each time the user accesses the resource and not when the 
user breaks the glass.

regards

david


>
>      Thanks,
>      Rich
>
>
> David Chadwick wrote:
>> Hi Ludwig
>>
>> On 26/11/2010 08:32, Ludwig Seitz wrote:
>>> On Thu, 2010-11-25 at 17:05 +0000, David Chadwick wrote:
>>>> Hi Ludwig
>>>>
>>>> The model you have appears to be that each user must BTG himself, and
>>>> then he is given the BTG attribute after agreeing to this. But this is
>>>> not the model we have, and it is not the model of BTG in general
>>>> (e.g. a
>>>> fire door in a hotel).
>>>
>>> You claim your model represents the model of BTG in general. Can you
>>> support these claims?
>>
>> Yes in so far as it has been implemented and we have not yet come
>> across any BTG requirement that it cannot satisfy. So in that respect
>> it is as general as the HL7 model (which is not a universal standard
>> either)
>>
>>
>>>
>>> In a previous mail Mike Davis seems to suggest your model is different
>>> from HL7's requirements, and currently the requirements from HL7 are as
>>> close as it gets for "a model of BTG in general".
>>>
>>>> Our model is state based, ie. there is a BTG state that is initially
>>>> false (corresponding to unbroken glass) and can be set to true
>>>> (corresponding to broken glass) by a defined class of user in the
>>>> policy.
>>>>
>>>> Another class of user (typically a manager) can reset the state to
>>>> false
>>>> (ie repair the glass).
>>>
>>> I see no difference between a BTG state and a BTG attribute. Could you
>>> please explain where you see a difference?
>>
>> Clearly none if the attribute holds the state!
>> But in your attribute model you did not say how the attribute value
>> was set to different values. This was added in our model.
>>
>>
>>>
>>>> this model is much more general and flexible since it can be applied to
>>>> individuals (as in your case) or to roles (e.g. doctors) or to any
>>>> combination of attribute holding subjects.
>>>>
>>>> Furthermore the glass state
>>>> can be applied to a single resource or a group of resources. To a
>>>> single
>>>> action or a group of actions. You can find details in last years ACSAC
>>>> conference
>>>>
>>>
>>> I'm all in favor of a flexible BTG model, but from what you present here
>>> I fail to see how that cannot be done within the current XACML (v3) core
>>> standard.
>>
>> This is not the issue. The issue is, can we have a standard defined
>> way of doing it. You suggest using Advice to signal BTG, so I say we
>> should have a profile to standardise the contents of the BTG Advice.
>> But I also request a standard way of doing it in XACMLv2 as well, and
>> Advice cannot do that.
>>
>>
>>> There is absolutely no requirement for a BTG attribute to be associated
>>> with a specific subject or resource. What this comes down to, is a
>>> question of attribute management, and that's outside the scope of XACML.
>>
>> Actually it is in a twilight world, since you have PIPs which manage
>> attributes, but you dont describe how they work. So you sort of
>> acknowledge that attribute management is needed, but then dont say how
>> to do it. What we are wanting to do, is for a specific type of access
>> control - BTG - is allow the XACML infrastructure (context handler,
>> PIPs, obligation service etc) to manage the BTG attribute/state so
>> that applications dont need to. But in order to do this we need to
>> standardise more of the protocol between the PEP and the XACML
>> infrastructure so that BTG can be handled by the infrastructure,
>> thereby reducing the load on applications.
>>
>>> (note that I think BTG profile should nevertheless give recommendations
>>> about how to do that).
>>>
>>
>> which is what we tried to do in a general way in the draft profile.
>>
>>
>>> My point remains: You seem to derive the necessity to make changes to
>>> the core standard from your BTG model. I am not convinced they are
>>> necessary to realize your BTG model.
>>
>> Clearly no changes are needed to XACML if you dump all the work on the
>> PEP and the application. This is the status quo today. What we would
>> like to achieve is that the application independent code can take some
>> of the burden off the PEP. This is the motivation for the profile.
>>
>>>
>>> There is a more important problem though: Before coming up with
>>> solutions for BTG, we need a good definition of what the requirements
>>> for BTG really are. Right now we are starting with a solution and are
>>> trying to make the requirements fit, and that seems like a bad approach
>>> to me.
>>
>> If you care to read our ACSAC paper you will find a set of requirement
>> there which were derived from the hospital. So we started with a set
>> of requirements and derived an application independent way of
>> satisfying them.
>>
>> regards
>>
>> David
>>
>>>
>>> /Ludwig
>>>
>>>
>>>
>>

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************


  • 23.  RE: [xacml] Draft BTG Profile

    Posted 11-29-2010 18:01 
    David, all--

Why not model "BTG=yes" as an environmental variable, which is
maintained as a resource (i.e., database) with appropriate access
control (like "anyone in the hospital" or "a designated fire marshall or
alternate") on updating it? 

This would toss the whole thing outside XACML, and make it just one of a
very large set of specific scenarios in which the PDP has to query an
external (environmental) state (like "currentThreatLevel") maintained
somewhere "in the cloud."

Martin
 

Martin F. Smith
Director, National Security Systems
US Department of Homeland Security
NAC 19-204-47
(202) 447-3743 desk
(202) 441-9731 mobile
(800) 417-6930 page


    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


  • 24.  RE: [xacml] Draft BTG Profile

    Posted 11-29-2010 18:42 
    This suggestion is appealing.  It is general enough to support a number
of specific instances and policies without requiring a point solution
for a specific problem.  There are a number of similar variables,
constraints and other attributes associated with access to an object
"purpose of use",  "location", "separation of duty", "normal working
hours" already part of access control decisions.  Environmental
variable, are one of the classes of access control decision information
found in ISO 10181-3 (environmental is one, others including target or
access request ACI might also be appropriate).  

It might even be possible to logically extend "BTG=yes" as environmental
variable model any ACI variable associated with a policy that includes a
BTG attribute.

Regards, Mike Davis, CISSP
Department of Veterans Affairs
Office of Health Information 
Security Architect
760-632-0294



    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


  • 25.  RE: [xacml] Draft BTG Profile

    Posted 11-30-2010 15:39 
    John/David, et. Al--

And another thought . . . 

I had suggested: " Why not model "BTG=yes" as an environmental variable,
which is maintained as a resource (i.e., database) with appropriate
access
control (like "anyone in the hospital" or "a designated fire marshall or
alternate") on updating it? "

We might think of the BTG "state" datum as a service (vs. element in a
database); and such a service might be provided by a real-world physical
device (a glass-protected alarm in this case) attached to the cloud,
which when activated would sound an audible alarm, of course, and also
make available its state ("glassBroken") if queried from the cloud by a
PDP. Thus the "attributes" requirement for someone to update BTG state
would be exactly what it already is: physical access to the alarm and
ability to break the glass. (Sorry--no access audit!) 

Makes for a nice economical unity between real-world environment and
cyber-decision-making.     

Martin


Martin F. Smith
Director, National Security Systems
US Department of Homeland Security
NAC 19-204-47
(202) 447-3743 desk
(202) 441-9731 mobile
(800) 417-6930 page

    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


  • 26.  Re: [xacml] Draft BTG Profile

    Posted 12-01-2010 09:09 
    Hi Martin

On 30/11/2010 15:38, Smith, Martin wrote:
> John/David, et. Al--
>
> And another thought . . .
>
> I had suggested: " Why not model "BTG=yes" as an environmental variable,
> which is maintained as a resource (i.e., database) with appropriate
> access
> control (like "anyone in the hospital" or "a designated fire marshall or
> alternate") on updating it? "

this is exactly what we do in our implementation. We use a standard 
XACML stateless PDP that does not understand BTG, and wrap it with a 
stateful BTG wrapper that holds this database of BTG state variables. We 
then need a way of communicating with the PEP about BTG things 
(responses, requests to set/unset state etc). This is why we have 
introduced the topic to the XACML group for standardisation, so that all 
BTG implementations can use a standard protocol for PEP-PDP 
communications rather then re-inventing their own ways of communicating.

regards

David

>
> We might think of the BTG "state" datum as a service (vs. element in a
> database); and such a service might be provided by a real-world physical
> device (a glass-protected alarm in this case) attached to the cloud,
> which when activated would sound an audible alarm, of course, and also
> make available its state ("glassBroken") if queried from the cloud by a
> PDP. Thus the "attributes" requirement for someone to update BTG state
> would be exactly what it already is: physical access to the alarm and
> ability to break the glass. (Sorry--no access audit!)
>
> Makes for a nice economical unity between real-world environment and
> cyber-decision-making.
>
> Martin
>
>
> Martin F. Smith
> Director, National Security Systems
> US Department of Homeland Security
> NAC 19-204-47
> (202) 447-3743 desk
> (202) 441-9731 mobile
> (800) 417-6930 page
> 
    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


  • 27.  Re: [xacml] Draft BTG Profile

    Posted 11-30-2010 08:50 
    Hi Martin

On 29/11/2010 18:00, Smith, Martin wrote:
> David, all--
>
> Why not model "BTG=yes" as an environmental variable, which is
> maintained as a resource (i.e., database) with appropriate access
> control (like "anyone in the hospital" or "a designated fire marshall or
> alternate") on updating it?

this is what we already do.

>
> This would toss the whole thing outside XACML,

exactly. This is where we are today. As my earlier post stated we would 
like to standardise this in order to provide portability and ease of 
implementation for applications.

regards

David


  and make it just one of a
> very large set of specific scenarios in which the PDP has to query an
> external (environmental) state (like "currentThreatLevel") maintained
> somewhere "in the cloud."
>
> Martin
>
>
> Martin F. Smith
> Director, National Security Systems
> US Department of Homeland Security
> NAC 19-204-47
> (202) 447-3743 desk
> (202) 441-9731 mobile
> (800) 417-6930 page
>
> 
    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


Related Content