Re: [plasma] Comments from OASIS XACML TC on Message Access Control Requirements Draft
Jean-Paul Buu-Sao <jean-paul.buu-sao <at> tscp.org>
2012-07-18 09:32:10 GMT
Please find below some additional comments focused on 4.3 Content Creation and 4.4 Content Consumption, workflows:
Section 4.3: Content Creation Workflow
"The content creation PEP is configured with the set PIP's and PDP's it trusts" (p.39)
This assumes that the PEP is directly associated to all (possibly remote) applicable PDPs. This will not
scale with a large number of applicable PDPs. Instead, would you consider a local PDP proxy, which will
then be able to cache information related to remote PDPs when applicable?
"The content creation PEP summits a request to all the trusted PDPs for the set of roles it allows for the
subject. The subject is authenticated and authorized for the roles via attributes from the PIP. The PIP
attributes can be obtained by the PDP either via front-end (related to the PDP from the PIP via the subject)
or back-end (direct exchange between the PDP and the PIP) processing"(p. 39)
See comment above about scalability and availability. The result of the request can be locally cached by a
local proxy, caching would be impossible otherwise.
Also, authorization is not always solely based upon subject attributes that represent set of roles.
"The content creation PEP receives a list of roles the PDP can [be] configured for the subject" (p.39)
The same comment as above applies, regarding roles. Additionally the Content Creation PEP must not
evaluate the attributes for authorization decision, as this is the role of the PDP. So why should it care
receiving the list of roles that can be configured for the subject?
"The PEP submits a request for the policy collection for each role. Additional attributes may be required
from the PIP to authorize the release of the BCPC token" (p. 39)
Not necessarily optimal: the list of "roles" may be very large. Why would the PEP request the associated
policy collection on such a large list, before even considering the intention of the subject? Shouldn't
the PEP rather wait for the subject to express its intention, that is: explicitly specify the subset of the
policies that are to be applied to the content to be created?