[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: XACML OID tag?

To: "'Bob Jueneman'" <bjueneman@xxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: RE: XACML OID tag?
From: Hal Lockhart <hal.lockhart@xxxxxxxxxxxxx>
Date: Wed, 12 Sep 2001 17:34:48 -0400
Cc: "'security-services@xxxxxxxxxxxxxxxxxxxx'" <security-services@xxxxxxxxxxxxxxxxxxxx>, xacml@xxxxxxxxxxxxxxxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Bob Jueneman wrote:
> This is join to sound like heresy, but has anyone defined an 
> OID tag for XACML, so that an XACML string could be included 
> in a X.509 certificate?

...

> Toolkits which would provide enterprises to issue their own 
> certificates have so far failed to take off to any 
> significant degree

...

> One of the reasons, I believe, is that the neither the public 
> TTPs nor the toolkit vendors have so far adequately addressed 
> the important issue of providing a cross-enterprise Privilege 
> Management Infrastructure solution.  And now that they are 
> feeling a very significant financial pinch, they may not have 
> the wherewithal to solve that problem.

Perhaps you are simply looking for an OID to put arbitrary XML in a cert, so
this response will be overkill, but I believe your message implies a lack of
understanding of the XML security work currently going on at OASIS (SAML and
XACML)

XACML is defining the means to express Access Control Policies. I don't
really see what the semantics of an access control policy in the middle of a
cert would be.

Perhaps you are thinking of SAML. SAML has Attribute Assertions which are
almost like Attribute Certs. Also it has Authentication Assertions which
seem mostly useful in non-PKI environment. Finally there are Authorization
Decision Assertions, which are likely to be quite specific to a resource and
short lived. Again it is not clear what putting one in a cert would signify
exactly.

Of course all can be signed using XMLdsig and thus be consumers of PKIX
mechanisms. But I am unclear what sort of a use case you have in mind.

> Maybe it's just the religion of the week (XML) creating an 
> evangelistic fervor, but that's where the buzz seems to be 
> these days.  And I'd rather drop some XACML into an X.509 
> certificate and make use of the existing tools, rather than 
> create everything from scratch.  And yes, if X.509 attribute 
> certificates had been better thought out and/or more widely 
> implemented, maybe this wouldn't be necessary. And if pigs 
> could whistle and cows could fly, then the world would be a 
> much different place.

If you believe X.509 Attribute Certs are broken (as opposed to unused) I
would like to hear why, since SAML Attribute Assertions are very similar. On
the other hand, SAML has a lot of other machinery, so perhaps we have
already addressed your concerns.

I understand the buzz concern, but there is actually very little overlap
between the functional capabilities of PKIX and the OASIS security work.

> Anyway, does anyone have such an OID and a suggested way to 
> use it?  If not, I guess I'll explore rolling my own, unless 
> someone else wants to join in the fun.

Before you design something, I suggest you propose a usecase or some
requirements or something.

Regards,

Hal

Prev by Date: private on RE: Removing expired certificates from CRLs.....
Next by Date: RE: XACML OID tag?
Previous by thread: Re: XACML OID tag?
Next by thread: RE: XACML OID tag?
Index(es):
- Date
- Thread