is attached. -- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
Hi David, I looked at the document your sent and was a bit confused to position it among other standards in use and our work. Before we can discuss some minor detail, I want to say that title is a bit misleading. They call it "Web Services Profile of XACML (WS-XACML)" but actually it is Web Services Policy (WSP) profile/extensions for (using) XACML in WSP style policy definition. They provided good use cases in Introduction, and correctly described XACML AuthZ token (section 2). For me, it is not clear their definition of XACMLAuthZAssertion (section 3). Is this an assertion or policy statement? "An XACMLAuthzAssertion represents an XACML authorization, access control, or privacy policy that applies to the target of the wsp:Policy instance in which it appears. The Assertion MAY be used by a Web Service to express or publish its authorization, access control, or privacy requirements or its capability of complying with requirements imposed by a client. The Assertion MAY be used by a Web Services client to express or publish its authorization, access control, or privacy requirements requirements or its capability of complying with requirements imposed by a Web Service. Two instances of such an Assertion MAY be matched to determine whether they are compatible, and, if so, which requirements and capabilities are compatible." Also I didn't find support for so much expected cryptographically valid/ensured attributes. So, what possibilities do we have to give our comments to the author? Yuri David Chadwick wrote:
is attached.
------------------------------------------------------------------------
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
Hi Yuri firstly we have a lot of opportunity to feed our comments into Anne, the author, and I am sure she will be very receptive to our helpful input. Concerning its purpose, it can be used in negotiation for the sender to say what his requirement are from the other party, and what his capabilities are for providing a service to the other party. However, this is not really what we want from this service. We simply want the ability to provide an XACML request context in a secure manner to a remote PDP, and to obtain an XACML response context from the PDP. Which is why the SAML profile (that is now deprecated) was actually ideal for us (and why my first OGF spec was based on it). So my question to Anne would be, Can we make sure this new spec has the same functionality (at least) as the previous SAML spec. regards David Yuri Demchenko wrote:
Hi David,
I looked at the document your sent and was a bit confused to position it among other standards in use and our work.
Before we can discuss some minor detail, I want to say that title is a bit misleading. They call it "Web Services Profile of XACML (WS-XACML)" but actually it is Web Services Policy (WSP) profile/extensions for (using) XACML in WSP style policy definition.
They provided good use cases in Introduction, and correctly described XACML AuthZ token (section 2).
For me, it is not clear their definition of XACMLAuthZAssertion (section 3). Is this an assertion or policy statement?
"An XACMLAuthzAssertion represents an XACML authorization, access control, or privacy policy that applies to the target of the wsp:Policy instance in which it appears. The Assertion MAY be used by a Web Service to express or publish its authorization, access control, or privacy requirements or its capability of complying with requirements imposed by a client. The Assertion MAY be used by a Web Services client to express or publish its authorization, access control, or privacy requirements requirements or its capability of complying with requirements imposed by a Web Service. Two instances of such an Assertion MAY be matched to determine whether they are compatible, and, if so, which requirements and capabilities are compatible."
Also I didn't find support for so much expected cryptographically valid/ensured attributes.
So, what possibilities do we have to give our comments to the author?
Yuri
David Chadwick wrote:
is attached.
------------------------------------------------------------------------
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
David, David Chadwick wrote:
firstly we have a lot of opportunity to feed our comments into Anne, the author, and I am sure she will be very receptive to our helpful input.
Concerning its purpose, it can be used in negotiation for the sender to say what his requirement are from the other party, and what his capabilities are for providing a service to the other party. However, this is not really what we want from this service. We simply want the ability to provide an XACML request context in a secure manner to a remote PDP, and to obtain an XACML response context from the PDP. Which is why the SAML profile (that is now deprecated) was actually ideal for us (and why my first OGF spec was based on it). So my question to Anne would be, Can we make sure this new spec has the same functionality (at least) as the previous SAML spec.
This is what were my expectation after you mentioned this document. But after reading it I didn't find this was the purpose and idea behind the document. Which SAML profile do you mean: GGF - GFD.66 - Use of SAML for OGSI Authorization? or OASIS - "SAML 2.0 profile of XACML v2.0"? It is linked from the XACML webpage http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-profile-s... and new Working Draft of 26 June 2006 http://www.oasis-open.org/committees/download.php/18921/xacml-2.0-profile-sa... Yuri
Yuri Demchenko wrote:
Hi David,
I looked at the document your sent and was a bit confused to position it among other standards in use and our work.
Before we can discuss some minor detail, I want to say that title is a bit misleading. They call it "Web Services Profile of XACML (WS-XACML)" but actually it is Web Services Policy (WSP) profile/extensions for (using) XACML in WSP style policy definition.
They provided good use cases in Introduction, and correctly described XACML AuthZ token (section 2).
For me, it is not clear their definition of XACMLAuthZAssertion (section 3). Is this an assertion or policy statement?
"An XACMLAuthzAssertion represents an XACML authorization, access control, or privacy policy that applies to the target of the wsp:Policy instance in which it appears. The Assertion MAY be used by a Web Service to express or publish its authorization, access control, or privacy requirements or its capability of complying with requirements imposed by a client. The Assertion MAY be used by a Web Services client to express or publish its authorization, access control, or privacy requirements requirements or its capability of complying with requirements imposed by a Web Service. Two instances of such an Assertion MAY be matched to determine whether they are compatible, and, if so, which requirements and capabilities are compatible."
Also I didn't find support for so much expected cryptographically valid/ensured attributes.
So, what possibilities do we have to give our comments to the author?
Yuri
David Chadwick wrote:
is attached.
------------------------------------------------------------------------
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
Yuri Demchenko wrote:
David,
David Chadwick wrote:
firstly we have a lot of opportunity to feed our comments into Anne, the author, and I am sure she will be very receptive to our helpful input.
Concerning its purpose, it can be used in negotiation for the sender to say what his requirement are from the other party, and what his capabilities are for providing a service to the other party. However, this is not really what we want from this service. We simply want the ability to provide an XACML request context in a secure manner to a remote PDP, and to obtain an XACML response context from the PDP. Which is why the SAML profile (that is now deprecated) was actually ideal for us (and why my first OGF spec was based on it). So my question to Anne would be, Can we make sure this new spec has the same functionality (at least) as the previous SAML spec.
This is what were my expectation after you mentioned this document. But after reading it I didn't find this was the purpose and idea behind the document.
Which SAML profile do you mean:
GGF - GFD.66 - Use of SAML for OGSI Authorization?
or OASIS - "SAML 2.0 profile of XACML v2.0"?
This one, it is referenced in the OGF draft "Use of XACML Request Context to access a PDP" regards David
It is linked from the XACML webpage http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-profile-s...
and new Working Draft of 26 June 2006 http://www.oasis-open.org/committees/download.php/18921/xacml-2.0-profile-sa...
Yuri
Yuri Demchenko wrote:
Hi David,
I looked at the document your sent and was a bit confused to position it among other standards in use and our work.
Before we can discuss some minor detail, I want to say that title is a bit misleading. They call it "Web Services Profile of XACML (WS-XACML)" but actually it is Web Services Policy (WSP) profile/extensions for (using) XACML in WSP style policy definition.
They provided good use cases in Introduction, and correctly described XACML AuthZ token (section 2).
For me, it is not clear their definition of XACMLAuthZAssertion (section 3). Is this an assertion or policy statement?
"An XACMLAuthzAssertion represents an XACML authorization, access control, or privacy policy that applies to the target of the wsp:Policy instance in which it appears. The Assertion MAY be used by a Web Service to express or publish its authorization, access control, or privacy requirements or its capability of complying with requirements imposed by a client. The Assertion MAY be used by a Web Services client to express or publish its authorization, access control, or privacy requirements requirements or its capability of complying with requirements imposed by a Web Service. Two instances of such an Assertion MAY be matched to determine whether they are compatible, and, if so, which requirements and capabilities are compatible."
Also I didn't find support for so much expected cryptographically valid/ensured attributes.
So, what possibilities do we have to give our comments to the author?
Yuri
David Chadwick wrote:
is attached.
------------------------------------------------------------------------
-- ogsa-authz-wg mailing list ogsa-authz-wg@ogf.org http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
participants (2)
-
David Chadwick -
Yuri Demchenko