[OGSA-AUTHZ] Web Services (Policy?) profile of/for XACML
David Chadwick
d.w.chadwick at kent.ac.uk
Mon Feb 26 13:13:55 CST 2007
Hi Anne
this is good news, since the "SAML 2.0 profile of XACML v2.0" is the one
we have currently used in our OGF draft for a grid PEP talking to a PDP.
We had been informed at a previous OGF meeting that this profile was now
deprecated by OASIS, and we were therefore looking for a replacement.
But now we will not need to
regards
David
Anne Anderson - Sun Microsystems wrote:
> The original SAML 1.0 Authorization Decision Query and Statement were
> "frozen" as of SAML 2.0, with a reference to the "SAML 2.0 profile of
> XACML v2.0" as a suggested replacement.
>
> The "SAML 2.0 profile of XACML v2.0" is very much alive and has not been
> deprecated; it is a full OASIS and ITU-T Standard. You can find a copy
> on the XACML TC Home Page along with the other XACML 2.0 specifications:
> http://www.oasis-open.org/apps/org/workgroup/xacml/manage/edit_notes.php#XACML20.
> There were some errors in the spec and schemas that are corrected in
> the "SAML 2.0 profile of XACML v2.0 Errata" available at
> http://www.oasis-open.org/committees/download.php/15447/xacml-2.0-saml-errata-wd.zip
>
>
> The XACML TC is updating the "SAML 2.0 profile of XACML" as part of its
> XACML 3.0 release. The updates are intended to be backwards compatible,
> and consist primarily of some additions to support the XACML 3.0
> Administrative Policy specification, such as the ability for a PEP to
> send a policy to be evaluated along with the request context. The draft
> of this update is available at
> http://www.oasis-open.org/committees/download.php/18921/xacml-2.0-profile-saml2.0-v2-wd-2.zip
> I should be issuing a new draft before too long.
>
> Please let me know if you have any further questions.
>
> Regards,
> Anne
>
> David Chadwick wrote On 02/21/07 15:29,:
>> Hi Yuri
>>
>> firstly we have a lot of opportunity to feed our comments into Anne,
>> the author, and I am sure she will be very receptive to our helpful
>> input.
>>
>> Concerning its purpose, it can be used in negotiation for the sender
>> to say what his requirement are from the other party, and what his
>> capabilities are for providing a service to the other party. However,
>> this is not really what we want from this service. We simply want the
>> ability to provide an XACML request context in a secure manner to a
>> remote PDP, and to obtain an XACML response context from the PDP.
>> Which is why the SAML profile (that is now deprecated) was actually
>> ideal for us (and why my first OGF spec was based on it). So my
>> question to Anne would be, Can we make sure this new spec has the same
>> functionality (at least) as the previous SAML spec.
>>
>> regards
>>
>> David
>>
>>
>> Yuri Demchenko wrote:
>>
>>> Hi David,
>>>
>>> I looked at the document your sent and was a bit confused to position
>>> it among other standards in use and our work.
>>>
>>> Before we can discuss some minor detail, I want to say that title is
>>> a bit misleading. They call it "Web Services Profile of XACML
>>> (WS-XACML)" but actually it is Web Services Policy (WSP)
>>> profile/extensions for (using) XACML in WSP style policy definition.
>>>
>>> They provided good use cases in Introduction, and correctly described
>>> XACML AuthZ token (section 2).
>>>
>>> For me, it is not clear their definition of XACMLAuthZAssertion
>>> (section 3). Is this an assertion or policy statement?
>>>
>>> "An XACMLAuthzAssertion represents an XACML authorization, access
>>> control, or privacy policy that applies to the target of the
>>> wsp:Policy instance in which it appears. The Assertion MAY be used by
>>> a Web Service to express or publish its authorization, access
>>> control, or privacy requirements or its capability of complying with
>>> requirements imposed by a client. The Assertion MAY be used by a Web
>>> Services client to express or publish its authorization, access
>>> control, or privacy requirements requirements or its capability of
>>> complying with requirements imposed by a Web Service. Two instances
>>> of such an Assertion MAY be matched to determine whether they are
>>> compatible, and, if so, which requirements and capabilities are
>>> compatible."
>>>
>>> Also I didn't find support for so much expected cryptographically
>>> valid/ensured attributes.
>>>
>>> So, what possibilities do we have to give our comments to the author?
>>>
>>> Yuri
>>>
>>>
>>> David Chadwick wrote:
>>>
>>>> is attached.
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> --
>>>> ogsa-authz-wg mailing list
>>>> ogsa-authz-wg at ogf.org
>>>> http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>>>
>>>
>>>
>>
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the ogsa-authz-wg
mailing list