OASIS eXtensible Access Control Markup Language (XACML) TC

Expand all | Collapse all

Re: [xacml] Issue#47: XACML WS-Policy Assertions name problem

Anthony Nadalin

Anthony Nadalin10-11-2006 08:41

Anthony Nadalin

Anthony Nadalin10-11-2006 10:24

  • 1.  Re: [xacml] Issue#47: XACML WS-Policy Assertions name problem

    Posted 10-10-2006 14:34
    Hi Tony,
    
    Anthony Nadalin wrote On 10/10/06 01:28,:
    > So what do you think the use cases are ? 
    
    I have a list of use cases in the Introduction section of WD 5, which I 
    submitted yesterday:
    Web Services Profile of XACML (WS-XACML) Version 1.0, WD 5, 9 October 2006
    http://www.oasis-open.org/committees/download.php/20643/xacml-3.0-profile-webservices-spec-v1.0-wd-5-en.pdf
    It is linked off the XACML TC Home Page under "Work in Progress", 
    replacing the old WSPL link, since this is the successor to WSPL.
    
    > How are policies fetched ?
    
    I'm not sure I understand the question.  A service fetches its policies 
    from its database, or wherever it stores them, and they are inserted 
    into the XACMLAuthzAssertion just as other service-specific information 
    is fetched and stored into other WS-Policy Assertions.  This is for 
    relatively stable authz policies, where the policy can be put into a 
    WS-Policy instance and updated only as often as other information in the 
    WS-Policy instance might be updated.
    
    I don't think anyone has designed a standard way for clients to store 
    and fetch their authz policies.  That is up to the client.
    
    > Do you see the usage mainly being a policy store -> PDP ?
    
    No.  I see it as a service taking the policy it's PDP will use (or a 
    subset of it) and publishing it for the use of clients in deciding 
    whether and how to connect with the service.  It is not a policy 
    provisioning mechanism at all.
    
    > How would I include policy in a request (to cover a bootstrap case, I would imagine 
    > I would want this in a token).
    
    In the new version of the SAML Profile for XACML 3.0, we allow a policy 
    to be included in an XACMLAuthzDecisionRequest.  Such a request could be 
    included in a SOAP Security header like any other token.  Perhaps I 
    should include that in the next draft of the Profile.
    
    Regards,
    Anne
    
    > 
    > Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
    > Inactive hide details for Anne Anderson - Sun Microsystems 
    > 


  • 2.  Re: [xacml] Issue#47: XACML WS-Policy Assertions name problem

    Posted 10-11-2006 08:41
      |   view attached



  • 3.  Re: [xacml] Issue#47: XACML WS-Policy Assertions name problem

    Posted 10-11-2006 10:24