Re: [OGSA-AUTHZ] Web Services (Policy?) profile of/for XACML

26 Feb 2007

      Hi Anne

this is good news, since the "SAML 2.0 profile of XACML v2.0" is the one 
we have currently used in our OGF draft for a grid PEP talking to a PDP.

We had been informed at a previous OGF meeting that this profile was now 
deprecated by OASIS, and we were therefore looking for a replacement. 
But now we will not need to

regards

David

Anne Anderson - Sun Microsystems wrote:
...
The original SAML 1.0 Authorization Decision Query and Statement were 
"frozen" as of SAML 2.0, with a reference to the "SAML 2.0 profile of 
XACML v2.0" as a suggested replacement.
The "SAML 2.0 profile of XACML v2.0" is very much alive and has not been 
deprecated; it is a full OASIS and ITU-T Standard.  You can find a copy 
on the XACML TC Home Page along with the other XACML 2.0 specifications: 
http://www.oasis-open.org/apps/org/workgroup/xacml/manage/edit_notes.php#XAC.... 
 There were some errors in the spec and schemas that are corrected in 
the "SAML 2.0 profile of XACML v2.0 Errata" available at 
http://www.oasis-open.org/committees/download.php/15447/xacml-2.0-saml-errat...
The XACML TC is updating the "SAML 2.0 profile of XACML" as part of its 
XACML 3.0 release.  The updates are intended to be backwards compatible, 
and consist primarily of some additions to support the XACML 3.0 
Administrative Policy specification, such as the ability for a PEP to 
send a policy to be evaluated along with the request context.  The draft 
of this update is available at 
http://www.oasis-open.org/committees/download.php/18921/xacml-2.0-profile-sa... 
 I should be issuing a new draft before too long.
Please let me know if you have any further questions.
Regards,
Anne
David Chadwick wrote On 02/21/07 15:29,:
...
Hi Yuri
firstly we have a lot of opportunity to feed our comments into Anne, 
the author, and I am sure she will be very receptive to our helpful 
input.
Concerning its purpose, it can be used in negotiation for the sender 
to say what his requirement are from the other party, and what his 
capabilities are for providing a service to the other party. However, 
this is not really what we want from this service. We simply want the 
ability to provide an XACML request context in a secure manner to a 
remote PDP, and to obtain an XACML response context from the PDP. 
Which is why the SAML profile (that is now deprecated) was actually 
ideal for us (and why my first OGF spec was based on it). So my 
question to Anne would be, Can we make sure this new spec has the same 
functionality (at least) as the previous SAML spec.
regards
David
Yuri Demchenko wrote:
...
Hi David,
I looked at the document your sent and was a bit confused to position 
it among other standards in use and our work.
Before we can discuss some minor detail, I want to say that title is 
a bit misleading. They call it "Web Services Profile of XACML 
(WS-XACML)" but actually it is Web Services Policy (WSP) 
profile/extensions for (using) XACML in WSP style policy definition.
They provided good use cases in Introduction, and correctly described 
XACML AuthZ token (section 2).
For me, it is not clear their definition of XACMLAuthZAssertion 
(section 3). Is this an assertion or policy statement?
"An XACMLAuthzAssertion represents an XACML authorization, access 
control, or privacy policy that applies to the target of the 
wsp:Policy instance in which it appears. The Assertion MAY be used by 
a Web Service to express or publish its authorization, access 
control, or privacy requirements or its capability of complying with 
requirements imposed by a client. The Assertion MAY be used by a Web 
Services client to express or publish its authorization, access 
control, or privacy requirements requirements or its capability of 
complying with requirements imposed by a Web Service. Two instances 
of such an Assertion MAY be matched to determine whether they are 
compatible, and, if so, which requirements and capabilities are 
compatible."
Also I didn't find support for so much expected cryptographically 
valid/ensured attributes.
So, what possibilities do we have to give our comments to the author?
Yuri
David Chadwick wrote:
...
is attached.
------------------------------------------------------------------------
-- 
  ogsa-authz-wg mailing list
  ogsa-authz-wg@ogf.org
  http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

David Chadwick

tags

participants (1)