Hi Tony,
Anthony Nadalin wrote On 10/10/06 01:28,:
> So what do you think the use cases are ?
I have a list of use cases in the Introduction section of WD 5, which I
submitted yesterday:
Web Services Profile of XACML (WS-XACML) Version 1.0, WD 5, 9 October 2006
http://www.oasis-open.org/committees/download.php/20643/xacml-3.0-profile-webservices-spec-v1.0-wd-5-en.pdf
It is linked off the XACML TC Home Page under "Work in Progress",
replacing the old WSPL link, since this is the successor to WSPL.
> How are policies fetched ?
I'm not sure I understand the question. A service fetches its policies
from its database, or wherever it stores them, and they are inserted
into the XACMLAuthzAssertion just as other service-specific information
is fetched and stored into other WS-Policy Assertions. This is for
relatively stable authz policies, where the policy can be put into a
WS-Policy instance and updated only as often as other information in the
WS-Policy instance might be updated.
I don't think anyone has designed a standard way for clients to store
and fetch their authz policies. That is up to the client.
> Do you see the usage mainly being a policy store -> PDP ?
No. I see it as a service taking the policy it's PDP will use (or a
subset of it) and publishing it for the use of clients in deciding
whether and how to connect with the service. It is not a policy
provisioning mechanism at all.
> How would I include policy in a request (to cover a bootstrap case, I would imagine
> I would want this in a token).
In the new version of the SAML Profile for XACML 3.0, we allow a policy
to be included in an XACMLAuthzDecisionRequest. Such a request could be
included in a SOAP Security header like any other token. Perhaps I
should include that in the next draft of the Profile.
Regards,
Anne
>
> Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
> Inactive hide details for Anne Anderson - Sun Microsystems
>