[OGSA-AUTHZ] Web Services (Policy?) profile of/for XACML

Yuri Demchenko demch at science.uva.nl
Wed Feb 21 16:46:03 CST 2007 

David,

David Chadwick wrote:
> firstly we have a lot of opportunity to feed our comments into Anne, the 
> author, and I am sure she will be very receptive to our helpful input.
> 
> Concerning its purpose, it can be used in negotiation for the sender to 
> say what his requirement are from the other party, and what his 
> capabilities are for providing a service to the other party. However, 
> this is not really what we want from this service. We simply want the 
> ability to provide an XACML request context in a secure manner to a 
> remote PDP, and to obtain an XACML response context from the PDP. Which 
> is why the SAML profile (that is now deprecated) was actually ideal for 
> us (and why my first OGF spec was based on it). So my question to Anne 
> would be, Can we make sure this new spec has the same functionality (at 
> least) as the previous SAML spec.
> 
This is what were my expectation after you mentioned this document. But 
after reading it I didn't find this was the purpose and idea behind the 
document.

Which SAML profile do you mean:

GGF - GFD.66 - Use of SAML for OGSI Authorization?

or OASIS - "SAML 2.0 profile of XACML v2.0"?
It is linked from the XACML webpage 
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-profile-spec-os.pdf
and new Working Draft of 26 June 2006
http://www.oasis-open.org/committees/download.php/18921/xacml-2.0-profile-saml2.0-v2-wd-2.zip

Yuri

> 
> Yuri Demchenko wrote:
>> Hi David,
>>
>> I looked at the document your sent and was a bit confused to position 
>> it among other standards in use and our work.
>>
>> Before we can discuss some minor detail, I want to say that title is a 
>> bit misleading. They call it "Web Services Profile of XACML 
>> (WS-XACML)" but actually it is Web Services Policy (WSP) 
>> profile/extensions for (using) XACML in WSP style policy definition.
>>
>> They provided good use cases in Introduction, and correctly described 
>> XACML AuthZ token (section 2).
>>
>> For me, it is not clear their definition of XACMLAuthZAssertion 
>> (section 3). Is this an assertion or policy statement?
>>
>> "An XACMLAuthzAssertion represents an XACML authorization, access 
>> control, or privacy policy that applies to the target of the 
>> wsp:Policy instance in which it appears. The Assertion MAY be used by 
>> a Web Service to express or publish its authorization, access control, 
>> or privacy requirements or its capability of complying with 
>> requirements imposed by a client. The Assertion MAY be used by a Web 
>> Services client to express or publish its authorization, access 
>> control, or privacy requirements requirements or its capability of 
>> complying with requirements imposed by a Web Service. Two instances of 
>> such an Assertion MAY be matched to determine whether they are 
>> compatible, and, if so, which requirements and capabilities are 
>> compatible."
>>
>> Also I didn't find support for so much expected cryptographically 
>> valid/ensured attributes.
>>
>> So, what possibilities do we have to give our comments to the author?
>>
>> Yuri
>>
>>
>> David Chadwick wrote:
>>> is attached.
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> -- 
>>>   ogsa-authz-wg mailing list
>>>   ogsa-authz-wg at ogf.org
>>>   http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>>
>>
>

More information about the ogsa-authz-wg mailing list