1. Don't give up yet. I am trying to cook up a way to deal with the
concept still ;)
2. Yes. My desire is to create a number of Obligations templates.
Whether or not they turn out to be normative is another matter...
b
On Apr 15, 2007, at 9:04 PM, Anil Saldhana wrote:
> Sampo,
> I think by now I have given up on the idea of obligations being
> optional. :) This is mainly due to added education from the others
> on the TC.
>
> Are we looking at at least standardizing some of the obligations
> like logging?
> Looking at http://wiki.oasis-open.org/xacml/
> DiscussionOnObligations, I am guessing Yes!
>
> Regards,
> Anil
>
> sampo@symlabs.com wrote:
>> Anil Saldhana writes:
>>> My use cases in mind are the following(please correct me wherever
>>> my understanding is wrong):
>>> a) Legitimate authorization request arrives at the PEP. PEP
>>> invokes the PDP. PDP comes back with 'PERMIT' and a set of
>>> obligations. PEP is unable to fulfill 1 or more obligations. PEP
>>> issues an error. What happened to the legitimate request?
>>
>> I understand you mean the authorization request was legit from global
>> perspective, assuming all information was available, but might seem
>> illegit when viwed locally, perhaps with some of the context or
>> information
>> inaccessible.
>> The conflict between PDP imposing Obligations that PEP can not
>> satisfy vs. PDP having "intelligently" chosen the alternate
>> Obligations that it "knows" PEP can satisfy is the key. At local
>> level any request that does not come with enough context or
>> information
>> to satisfy Obligations MUST be considered illegit. If such request,
>> from global perspective should have been considered legit, then
>> we need to see if there was architectural or layering reason why
>> the PEP and PDP did not have available to them all the necessary
>> information.
>>> b) PDP issues a 'PERMIT' with a logging obligation. PEP does not
>>> want to log because performance considerations have been put
>>> forward and logging is low priority for the PEP. PEP issues an
>>> error.
>>
>> If PEP does not adher to rules set by PDP, then it does not play.
>> If PDP
>> looses a lot of business because it makes onerous Obligations, then
>> it will either go out of business or change the Obligations.
>> I still do not see the case for making an Obligation optional. Either
>> it is sine-qua-non or it is not (and if it is not, why even bother
>> to state it). However, I do see that there may be alternate
>> Obligations
>> or alternate ways of satisfying a higher level Obligation.
>> Cheers,
>> --Sampo
>> __________________________________________________________________
>> Sym | Sampo Kellomaki ______| Identity Architect, Federated SSO
>> ____ | +351-918.731.007 ______| Liberty ID-WSF DirectoryScript
>> labs | skype: sampo.kellomaki | LDAP SOAP PlainDoc Crypto C Perl
>>
>
> --
> Anil Saldhana
> JBoss Security & Identity Management
> http://labs.jboss.com/portal/jbosssecurity/
>
>