[OGSA-AUTHZ] Web Services (Policy?) profile of/for XACML

David Chadwick d.w.chadwick at kent.ac.uk
Thu Feb 22 08:11:39 CST 2007 


Yuri Demchenko wrote:
> David,
> 
> David Chadwick wrote:
>> firstly we have a lot of opportunity to feed our comments into Anne, 
>> the author, and I am sure she will be very receptive to our helpful 
>> input.
>>
>> Concerning its purpose, it can be used in negotiation for the sender 
>> to say what his requirement are from the other party, and what his 
>> capabilities are for providing a service to the other party. However, 
>> this is not really what we want from this service. We simply want the 
>> ability to provide an XACML request context in a secure manner to a 
>> remote PDP, and to obtain an XACML response context from the PDP. 
>> Which is why the SAML profile (that is now deprecated) was actually 
>> ideal for us (and why my first OGF spec was based on it). So my 
>> question to Anne would be, Can we make sure this new spec has the same 
>> functionality (at least) as the previous SAML spec.
>>
> This is what were my expectation after you mentioned this document. But 
> after reading it I didn't find this was the purpose and idea behind the 
> document.
> 
> Which SAML profile do you mean:
> 
> GGF - GFD.66 - Use of SAML for OGSI Authorization?
> 
> or OASIS - "SAML 2.0 profile of XACML v2.0"?

This one, it is referenced in the OGF draft "Use of XACML Request 
Context to access a PDP"

regards

David




> It is linked from the XACML webpage 
> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-profile-spec-os.pdf 
> 
> and new Working Draft of 26 June 2006
> http://www.oasis-open.org/committees/download.php/18921/xacml-2.0-profile-saml2.0-v2-wd-2.zip 
> 
> 
> Yuri
> 
>>
>> Yuri Demchenko wrote:
>>> Hi David,
>>>
>>> I looked at the document your sent and was a bit confused to position 
>>> it among other standards in use and our work.
>>>
>>> Before we can discuss some minor detail, I want to say that title is 
>>> a bit misleading. They call it "Web Services Profile of XACML 
>>> (WS-XACML)" but actually it is Web Services Policy (WSP) 
>>> profile/extensions for (using) XACML in WSP style policy definition.
>>>
>>> They provided good use cases in Introduction, and correctly described 
>>> XACML AuthZ token (section 2).
>>>
>>> For me, it is not clear their definition of XACMLAuthZAssertion 
>>> (section 3). Is this an assertion or policy statement?
>>>
>>> "An XACMLAuthzAssertion represents an XACML authorization, access 
>>> control, or privacy policy that applies to the target of the 
>>> wsp:Policy instance in which it appears. The Assertion MAY be used by 
>>> a Web Service to express or publish its authorization, access 
>>> control, or privacy requirements or its capability of complying with 
>>> requirements imposed by a client. The Assertion MAY be used by a Web 
>>> Services client to express or publish its authorization, access 
>>> control, or privacy requirements requirements or its capability of 
>>> complying with requirements imposed by a Web Service. Two instances 
>>> of such an Assertion MAY be matched to determine whether they are 
>>> compatible, and, if so, which requirements and capabilities are 
>>> compatible."
>>>
>>> Also I didn't find support for so much expected cryptographically 
>>> valid/ensured attributes.
>>>
>>> So, what possibilities do we have to give our comments to the author?
>>>
>>> Yuri
>>>
>>>
>>> David Chadwick wrote:
>>>> is attached.
>>>>
>>>>
>>>> ------------------------------------------------------------------------ 
>>>>
>>>>
>>>> -- 
>>>>   ogsa-authz-wg mailing list
>>>>   ogsa-authz-wg at ogf.org
>>>>   http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>>>
>>>
>>
> 
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authz-wg mailing list