[OGSA-AUTHZ] Web Services (Policy?) profile of/for XACML
David Chadwick
d.w.chadwick at kent.ac.uk
Thu Feb 22 08:11:39 CST 2007
Yuri Demchenko wrote:
> David,
>
> David Chadwick wrote:
>> firstly we have a lot of opportunity to feed our comments into Anne,
>> the author, and I am sure she will be very receptive to our helpful
>> input.
>>
>> Concerning its purpose, it can be used in negotiation for the sender
>> to say what his requirement are from the other party, and what his
>> capabilities are for providing a service to the other party. However,
>> this is not really what we want from this service. We simply want the
>> ability to provide an XACML request context in a secure manner to a
>> remote PDP, and to obtain an XACML response context from the PDP.
>> Which is why the SAML profile (that is now deprecated) was actually
>> ideal for us (and why my first OGF spec was based on it). So my
>> question to Anne would be, Can we make sure this new spec has the same
>> functionality (at least) as the previous SAML spec.
>>
> This is what were my expectation after you mentioned this document. But
> after reading it I didn't find this was the purpose and idea behind the
> document.
>
> Which SAML profile do you mean:
>
> GGF - GFD.66 - Use of SAML for OGSI Authorization?
>
> or OASIS - "SAML 2.0 profile of XACML v2.0"?
This one, it is referenced in the OGF draft "Use of XACML Request
Context to access a PDP"
regards
David
> It is linked from the XACML webpage
> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-profile-spec-os.pdf
>
> and new Working Draft of 26 June 2006
> http://www.oasis-open.org/committees/download.php/18921/xacml-2.0-profile-saml2.0-v2-wd-2.zip
>
>
> Yuri
>
>>
>> Yuri Demchenko wrote:
>>> Hi David,
>>>
>>> I looked at the document your sent and was a bit confused to position
>>> it among other standards in use and our work.
>>>
>>> Before we can discuss some minor detail, I want to say that title is
>>> a bit misleading. They call it "Web Services Profile of XACML
>>> (WS-XACML)" but actually it is Web Services Policy (WSP)
>>> profile/extensions for (using) XACML in WSP style policy definition.
>>>
>>> They provided good use cases in Introduction, and correctly described
>>> XACML AuthZ token (section 2).
>>>
>>> For me, it is not clear their definition of XACMLAuthZAssertion
>>> (section 3). Is this an assertion or policy statement?
>>>
>>> "An XACMLAuthzAssertion represents an XACML authorization, access
>>> control, or privacy policy that applies to the target of the
>>> wsp:Policy instance in which it appears. The Assertion MAY be used by
>>> a Web Service to express or publish its authorization, access
>>> control, or privacy requirements or its capability of complying with
>>> requirements imposed by a client. The Assertion MAY be used by a Web
>>> Services client to express or publish its authorization, access
>>> control, or privacy requirements requirements or its capability of
>>> complying with requirements imposed by a Web Service. Two instances
>>> of such an Assertion MAY be matched to determine whether they are
>>> compatible, and, if so, which requirements and capabilities are
>>> compatible."
>>>
>>> Also I didn't find support for so much expected cryptographically
>>> valid/ensured attributes.
>>>
>>> So, what possibilities do we have to give our comments to the author?
>>>
>>> Yuri
>>>
>>>
>>> David Chadwick wrote:
>>>> is attached.
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> --
>>>> ogsa-authz-wg mailing list
>>>> ogsa-authz-wg at ogf.org
>>>> http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>>>
>>>
>>
>
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the ogsa-authz-wg
mailing list