[OGSA-AUTHZ] Web Services (Policy?) profile of/for XACML

David Chadwick d.w.chadwick at kent.ac.uk
Mon Feb 26 13:13:55 CST 2007 

Hi Anne

this is good news, since the "SAML 2.0 profile of XACML v2.0" is the one 
we have currently used in our OGF draft for a grid PEP talking to a PDP.

We had been informed at a previous OGF meeting that this profile was now 
deprecated by OASIS, and we were therefore looking for a replacement. 
But now we will not need to

regards

David


Anne Anderson - Sun Microsystems wrote:
> The original SAML 1.0 Authorization Decision Query and Statement were 
> "frozen" as of SAML 2.0, with a reference to the "SAML 2.0 profile of 
> XACML v2.0" as a suggested replacement.
> 
> The "SAML 2.0 profile of XACML v2.0" is very much alive and has not been 
> deprecated; it is a full OASIS and ITU-T Standard.  You can find a copy 
> on the XACML TC Home Page along with the other XACML 2.0 specifications: 
> http://www.oasis-open.org/apps/org/workgroup/xacml/manage/edit_notes.php#XACML20. 
>  There were some errors in the spec and schemas that are corrected in 
> the "SAML 2.0 profile of XACML v2.0 Errata" available at 
> http://www.oasis-open.org/committees/download.php/15447/xacml-2.0-saml-errata-wd.zip 
> 
> 
> The XACML TC is updating the "SAML 2.0 profile of XACML" as part of its 
> XACML 3.0 release.  The updates are intended to be backwards compatible, 
> and consist primarily of some additions to support the XACML 3.0 
> Administrative Policy specification, such as the ability for a PEP to 
> send a policy to be evaluated along with the request context.  The draft 
> of this update is available at 
> http://www.oasis-open.org/committees/download.php/18921/xacml-2.0-profile-saml2.0-v2-wd-2.zip 
>  I should be issuing a new draft before too long.
> 
> Please let me know if you have any further questions.
> 
> Regards,
> Anne
> 
> David Chadwick wrote On 02/21/07 15:29,:
>> Hi Yuri
>>
>> firstly we have a lot of opportunity to feed our comments into Anne, 
>> the author, and I am sure she will be very receptive to our helpful 
>> input.
>>
>> Concerning its purpose, it can be used in negotiation for the sender 
>> to say what his requirement are from the other party, and what his 
>> capabilities are for providing a service to the other party. However, 
>> this is not really what we want from this service. We simply want the 
>> ability to provide an XACML request context in a secure manner to a 
>> remote PDP, and to obtain an XACML response context from the PDP. 
>> Which is why the SAML profile (that is now deprecated) was actually 
>> ideal for us (and why my first OGF spec was based on it). So my 
>> question to Anne would be, Can we make sure this new spec has the same 
>> functionality (at least) as the previous SAML spec.
>>
>> regards
>>
>> David
>>
>>
>> Yuri Demchenko wrote:
>>
>>> Hi David,
>>>
>>> I looked at the document your sent and was a bit confused to position 
>>> it among other standards in use and our work.
>>>
>>> Before we can discuss some minor detail, I want to say that title is 
>>> a bit misleading. They call it "Web Services Profile of XACML 
>>> (WS-XACML)" but actually it is Web Services Policy (WSP) 
>>> profile/extensions for (using) XACML in WSP style policy definition.
>>>
>>> They provided good use cases in Introduction, and correctly described 
>>> XACML AuthZ token (section 2).
>>>
>>> For me, it is not clear their definition of XACMLAuthZAssertion 
>>> (section 3). Is this an assertion or policy statement?
>>>
>>> "An XACMLAuthzAssertion represents an XACML authorization, access 
>>> control, or privacy policy that applies to the target of the 
>>> wsp:Policy instance in which it appears. The Assertion MAY be used by 
>>> a Web Service to express or publish its authorization, access 
>>> control, or privacy requirements or its capability of complying with 
>>> requirements imposed by a client. The Assertion MAY be used by a Web 
>>> Services client to express or publish its authorization, access 
>>> control, or privacy requirements requirements or its capability of 
>>> complying with requirements imposed by a Web Service. Two instances 
>>> of such an Assertion MAY be matched to determine whether they are 
>>> compatible, and, if so, which requirements and capabilities are 
>>> compatible."
>>>
>>> Also I didn't find support for so much expected cryptographically 
>>> valid/ensured attributes.
>>>
>>> So, what possibilities do we have to give our comments to the author?
>>>
>>> Yuri
>>>
>>>
>>> David Chadwick wrote:
>>>
>>>> is attached.
>>>>
>>>>
>>>> ------------------------------------------------------------------------ 
>>>>
>>>>
>>>> -- 
>>>>   ogsa-authz-wg mailing list
>>>>   ogsa-authz-wg at ogf.org
>>>>   http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>>>
>>>
>>>
>>
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the ogsa-authz-wg mailing list