OASIS eXtensible Access Control Markup Language (XACML) TC

Re: [xacml] PEP Conformance

  • 1.  Re: [xacml] PEP Conformance

    Posted 10-09-2002 05:02
    i think we are veering off of the topic, but... if you look at "Conformance Program Specification for the OASIS Security Assertion Markup Language (SAML)" Document identifier: draft-sstc-conform-spec-12 Location: http://www.oasis-open.org/committees/security/docs Publication date: 22 March 2002 Maturity Level: Committee Working Draft you will see in the conformance objectives: /* The objectives of the SAML Conformance Clause are to: 1. [...] 2. Promote interoperability in the exchange of authentication and authorization information */ which has no meaning if the *application* of this information is not consistent. i believe that this position is embodied in the following conformance test case: /* 4.1.6 Test Case 1-6: SOAP Protocol Binding: Implementation-Under-Test Consumes Valid Authorization Decision Assertion, Requested in Valid Query Description: This test case receives an authorization decision query created by an implementation-under-test using the AuthorizationRequest protocol in the SOAP binding. It confirms that the received query is valid for all required functionality. It returns an authorization decision assertion to the implemenation-uder-test and confirms that the assertion is consumed. Pass/Fail Criteria: AuthorizationQuery contains all required elements in the right format and sequence; authorization decision response and assertion are consumed. Requirements Reference: R-AUTHZDECISION, and R-MULTIDOMAIN Specification Reference: SAML Core, sections 2.4.4 and 3 SAML Bind, section 3.1 Implementation notes: The implementation-under-test executes the authorization decision assertion consumer role. Test program and implementation-under-test must agree how to validate that assertion was consumed. */ which states that authorization query consumption must be validated (i.e 'consumed' the same way). i posit that this will be performed in much the same way attribute conformance was achieved this summer: multiple vendors will send azn queries back and forth while protecting a controlled asset; conformance is declared when the *results* match across systems. in other words this: /* The Application may or may not give you access, sometimes you won't even see it. I being an application, may get a Deny response from a PDP, but decide to give you access any way, but maybe to a false object. But in any case, you cannot bind me to deny access in a consistent manner. */ will *not* conform. b Polar Humenn wrote: > Can anybody point me to the proper places in the SAML documents: > > * Assertions and Protocol ( cs-sstc-core-01) > * Assertion Schema ( cs-sstc-schema-assertion-01.xsd) > * Protocol Schema ( cs-sstc-schema-protocol-01.xsd) > * Bindings and Profiles ( cs-sstc-bindings-01) > * Security and Privacy Considerations ( cs-sstc-sec-consider-01) > * Conformance Program Specification ( cs-sstc-conform-01) > * Glossary ( cs-sstc-glossary-01) > > > that talks about a PEP's behavior in accordance with a SAML Response to an > AuthorizationQuery? > > I've looked at most of these documents, even in the Conformance Program > Specification, I cannot find anything. > > Cheers, > -Polar > > > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: < http://lists.oasis-open.org/ob/adm.pl >