[OGSA-AUTHZ] Web Services (Policy?) profile of/for XACML
Yuri Demchenko
demch at science.uva.nl
Wed Feb 21 16:46:03 CST 2007
David,
David Chadwick wrote:
> firstly we have a lot of opportunity to feed our comments into Anne, the
> author, and I am sure she will be very receptive to our helpful input.
>
> Concerning its purpose, it can be used in negotiation for the sender to
> say what his requirement are from the other party, and what his
> capabilities are for providing a service to the other party. However,
> this is not really what we want from this service. We simply want the
> ability to provide an XACML request context in a secure manner to a
> remote PDP, and to obtain an XACML response context from the PDP. Which
> is why the SAML profile (that is now deprecated) was actually ideal for
> us (and why my first OGF spec was based on it). So my question to Anne
> would be, Can we make sure this new spec has the same functionality (at
> least) as the previous SAML spec.
>
This is what were my expectation after you mentioned this document. But
after reading it I didn't find this was the purpose and idea behind the
document.
Which SAML profile do you mean:
GGF - GFD.66 - Use of SAML for OGSI Authorization?
or OASIS - "SAML 2.0 profile of XACML v2.0"?
It is linked from the XACML webpage
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-profile-spec-os.pdf
and new Working Draft of 26 June 2006
http://www.oasis-open.org/committees/download.php/18921/xacml-2.0-profile-saml2.0-v2-wd-2.zip
Yuri
>
> Yuri Demchenko wrote:
>> Hi David,
>>
>> I looked at the document your sent and was a bit confused to position
>> it among other standards in use and our work.
>>
>> Before we can discuss some minor detail, I want to say that title is a
>> bit misleading. They call it "Web Services Profile of XACML
>> (WS-XACML)" but actually it is Web Services Policy (WSP)
>> profile/extensions for (using) XACML in WSP style policy definition.
>>
>> They provided good use cases in Introduction, and correctly described
>> XACML AuthZ token (section 2).
>>
>> For me, it is not clear their definition of XACMLAuthZAssertion
>> (section 3). Is this an assertion or policy statement?
>>
>> "An XACMLAuthzAssertion represents an XACML authorization, access
>> control, or privacy policy that applies to the target of the
>> wsp:Policy instance in which it appears. The Assertion MAY be used by
>> a Web Service to express or publish its authorization, access control,
>> or privacy requirements or its capability of complying with
>> requirements imposed by a client. The Assertion MAY be used by a Web
>> Services client to express or publish its authorization, access
>> control, or privacy requirements requirements or its capability of
>> complying with requirements imposed by a Web Service. Two instances of
>> such an Assertion MAY be matched to determine whether they are
>> compatible, and, if so, which requirements and capabilities are
>> compatible."
>>
>> Also I didn't find support for so much expected cryptographically
>> valid/ensured attributes.
>>
>> So, what possibilities do we have to give our comments to the author?
>>
>> Yuri
>>
>>
>> David Chadwick wrote:
>>> is attached.
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> --
>>> ogsa-authz-wg mailing list
>>> ogsa-authz-wg at ogf.org
>>> http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
>>
>>
>
More information about the ogsa-authz-wg
mailing list