OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  Proposed Agenda 10 February 2011 TC Meeting

    Posted 02-10-2011 02:25
    Time: 13:00 EDT Tel: 513-241-0892 Access Code: 65998 Proposed Agenda for 10 February 2011 TC Meeting: I. Roll Call & Approve Minutes: 27 January 2011 TC Meeting (Updated) http://lists.oasis-open.org/archives/xacml/201101/msg00028.html II. Administrivia NIST IDTrust Symposium Call for Poster Announced http://lists.oasis-open.org/archives/xacml/201102/msg00002.html III. Issues XACML v3 WSDL http://lists.oasis-open.org/archives/xacml/201101/msg00027.html Attribute Assertions in XACML request original (Paul): http://lists.oasis-open.org/archives/xacml/201010/msg00012.html (Tony's example) http://lists.oasis-open.org/archives/xacml/201102/msg00013.html BTG Profile (Break The Glass): original (David): http://lists.oasis-open.org/archives/xacml/201011/msg00017.html PIP directive (additional information directives) original (David): http://lists.oasis-open.org/archives/xacml/201010/msg00005.html latest: http://lists.oasis-open.org/archives/xacml/201012/msg00022.html


  • 2.  Re: [xacml] Proposed Agenda 10 February 2011 TC Meeting

    Posted 02-10-2011 11:23
      |   view attached
    Dear All, in preparation for this evening's call, I attach a revised version of the BTG profile for you consideration regards David On 10/02/2011 02:24, Bill Parducci wrote: > Time: 13:00 EDT > Tel: 513-241-0892 Access Code: 65998 > > Proposed Agenda for 10 February 2011 TC Meeting: > > I. Roll Call& Approve Minutes: > 27 January 2011 TC Meeting (Updated) > http://lists.oasis-open.org/archives/xacml/201101/msg00028.html > > II. Administrivia > NIST IDTrust Symposium Call for Poster Announced > http://lists.oasis-open.org/archives/xacml/201102/msg00002.html > > III. Issues > XACML v3 WSDL > http://lists.oasis-open.org/archives/xacml/201101/msg00027.html > > Attribute Assertions in XACML request > original (Paul): http://lists.oasis-open.org/archives/xacml/201010/msg00012.html > (Tony's example) http://lists.oasis-open.org/archives/xacml/201102/msg00013.html > > BTG Profile (Break The Glass): > original (David): http://lists.oasis-open.org/archives/xacml/201011/msg00017.html > > PIP directive (additional information directives) > original (David): http://lists.oasis-open.org/archives/xacml/201010/msg00005.html > latest: http://lists.oasis-open.org/archives/xacml/201012/msg00022.html > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > -- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security School of Computing, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 ***************************************************************** XACML BTG profile.doc

    Attachment(s)

    doc
    XACML BTG profile.doc   43 KB 1 version


  • 3.  BTG comment [WAS: [xacml] Proposed Agenda 10 February 2011 TC Meeting]

    Posted 02-22-2011 15:49
    I have some reservations about David's BTG proposal, primarily because the semantics are not well specified, and because it muddies the distinction between what should happen within the XACML system, and what should happen outside of XACML. Obligations, as currently defined, require the PEP to take some action prior to executing or acting on the PDP's decision for a particular request. The proposed BTG obligation is entirely different: it says "you can't have access, but you can break the glass if you choose". We added Advice in XACML 3 to accommodate this sort of message-passing--messages which may or may not have anything to do with the original request or the decision. I don't think the TC should encourage the use of Obligations for anything other than what they are: an obligation to discharge certain actions regarding the PDP's decision. This is the only way to assure predictable system behavior--or to detect a faulty system. As we discussed on the last call, the scope and definition of "glass" should be specified. If not, we are just standardizing some features of the request/response protocol without knowing what effect these features have, either on the PDP or the PEP. Does the glass cover a specific request, a specific class of subjects, a class of resources, or what? Or is glass-condition just another attribute in the request context, whose effective meaning is given by the policy rules? However you define glass-condition, it will have to be implemented as a XACML attribute in the request context, or as some extra-xacml functionality. Either way, you are now using the XACML request mechanism to change the policy evaluation state directly. While this isn't prohibited by the standard, it makes it harder to reason about the behavior of the system. David's "BreakTheGlass" action-id is egregious in that it is not just a request for permission to do something (outside the XACML system)--it is a directive to change the state of the policy evaluation with regard to a particular (non-XACML) resource, subject, or action. Now, if state is maintained in PEP, you could say this is a normal request, but nevertheless it has muddied the distinction between requests for permission to do something (outside of XACML) and directives to do something "inside" of XACML. I would favor one of two alternative approaches (or some combination): 1. Simply return an Obligation (along with a Permit decision) if the requestor is authorized to "break the glass". The PEP would be obliged to display the list of consequences associated with accessing the resource, and the user could choose to accept the consequences and see the resource, or cancel the request. The consequences could include changing the state of the system to allow access to other resources, or allow other people to see the same resource, or whatever the business meaning of "break the glass" carries in a specific application. The obligations would be discharged outside the XACML system. (I'm not sure that this approach really warrants a standard profile, unless we just want to provide a distinguished obligation id value for BTG.) 2. Write policies specifically to allow "break-the-glass" actions to certain subjects in certain conditions. The PEP would request permission to break the glass, and if allowed would use some non-XACML mechanism to change the policy evaluation state. Obligations could be returned with the decision to advise user of the consequences. Then the application would request access to the desired resource. (Again I question whether this is worthy of standardization, unless we want to name a distinguished "break-the-glass" action id.) Either of these approaches would meet the BTG use case without altering the semantics or conventional usage of XACML. Regards, --Paul >


  • 4.  RE: [xacml] BTG comment [WAS: [xacml] Proposed Agenda 10 February 2011 TC Meeting]

    Posted 02-23-2011 04:07
    Concur with Paul's analysis. We also see BTG as a state change. Regards, Mike Davis, CISSP Department of Veterans Affairs Office of Health Information Security Architect 760-632-0294


  • 5.  Re: [xacml] BTG comment [WAS: [xacml] Proposed Agenda 10 February2011 TC Meeting]

    Posted 02-23-2011 09:43
    Hi Paul and Mike, I agree, but isn't this exactly what David is proposing? That is how I understand it, at least for the "PEP state" mode. The other alternative with the PDP maintaining state is something I don't think is a good idea. To make David's proposal better, it needs: - Drop the PDP state approach since this goes against the capability of the XACML model which does not have a state built in. - Define identifiers for at least the BTG obligation/advice (advice is better, but for XACML 2.0 an obligation needs to be used), the action-id for breaking glass (as well as giving some kind of direction of what the BTG request should look like in relation to resources being accessed). - It would be nice with a full, worked through example. Best regards, Erik On 2011-02-23 05:06, Davis, John M. wrote: > Concur with Paul's analysis. We also see BTG as a state change. > > Regards, Mike Davis, CISSP > Department of Veterans Affairs > Office of Health Information > Security Architect > 760-632-0294 > >


  • 6.  Re: [xacml] BTG comment [WAS: [xacml] Proposed Agenda 10 February 2011 TC Meeting]

    Posted 02-23-2011 16:15
    The use cases presented to date suggest that they are implemented in dire situations and the lack of a functioning PDP will need to be addressed I assume? If so, I favor Paul's first example as it covers the case of a missing or failing PDP by putting the onus of BTG awareness on the PEP (which also keeps the PDP stateless). b >>


  • 7.  RE: [xacml] Proposed Agenda 10 February 2011 TC Meeting

    Posted 02-10-2011 13:02
    It might be time to address "Attribute Assertions" under two separate topics: 1. Extending the request context to include non-equality attribute assertions (along with required changes to policy language and evaluation). 2. Defining a conventional methodology for converting non-XACML attribute predicates into Boolean-valued attributes in a XACML request context. I don't think it is useful or necessary to discuss these as the same topic, even though they address some common use cases. Regards, --Paul >