Google Site Search

Google
 

Friday, January 25, 2008

New $2B Dutch Transport Card is Insecure

Ed Felten in his blog entry "New $2B Dutch Transport Card is Insecure" writes about the Dutch Transportation Card that is supposed to be insecure.

The problem is highlighted in the following statement:
Unfortunately the designers of Mifare Classic did not follow this principle. Instead, they chose to combine a secret algorithm with a relatively short 48-bit key. This is a problem because once you know the algorithm it’s possible for an attacker to search the entire 48-bit key space, and therefore to forge cards, in a matter or days or weeks. With 48 key bits, there are only about 280 trillion possible keys, which sounds like a lot to the person on the street but isn’t much of a barrier to today’s computers.


An extremely healthy discussion is going on in the comments section of the afore-mentioned blog post of Ed.

Thursday, January 24, 2008

Report: Identity Theft Worse in 2008

Jennifer LeClaire writes in Report: Identity Theft Worse in 2008 that the Identity Theft Resource Center (ITRC) has offered several disturbing predictions for 2008. For example, the ITRC predicts identity theft will continue to grow more international in scope and that identity-theft scams will become more sophisticated and will be harder to detect.


"Identity theft is like the never-ending story," ITRC Founder Linda Foley said in a statement. "It acts like an oil spill that spreads in yet another direction with the ocean currents and wind despite best efforts to contain it."

Wednesday, January 23, 2008

US-CERT ST05-002-Keeping Children Safe Online

Children present unique security risks when they use a computer—not only do you have to keep them safe, you have to protect the data on your computer. By taking some simple steps, you can dramatically reduce the threats.
===========================================================
What unique risks are associated with children?

When a child is using your computer, normal safeguards and security practices may not be sufficient. Children present additional challenges because of their natural characteristics: innocence, curiosity, desire for independence, and fear of punishment. You need to consider these characteristics when determining how to protect your data and the child.

You may think that because the child is only playing a game, or researching a term paper, or typing a homework assignment, he or she can't cause any harm. But what if, when saving her paper, the child deletes a necessary program file? Or what if she unintentionally visits a malicious web page that infects your computer with a virus? These are just two possible scenarios. Mistakes happen, but the child may not realize what she's done or may not tell you what happened because she's afraid of getting punished.

Online predators present another significant threat, particularly to children. Because the nature of the internet is so anonymous, it is easy for people to misrepresent themselves and manipulate or trick other users (see Avoiding Social Engineering and Phishing Attacks for some examples). Adults often fall victim to these ploys, and children, who are usually much more open and trusting, are even easier targets. The threat is even greater if a child has access to email or instant messaging programs, visits chat rooms, and/or uses social networking sites (see Using Instant Messaging and Chat Rooms Safely and Staying Safe on Social Network Sites for more information).
What can you do?

* Be involved - Consider activities you can work on together, whether it be playing a game, researching a topic you had been talking about (e.g., family vacation spots, a particular hobby, a historical figure), or putting together a family newsletter. This will allow you to supervise your child's online activities while teaching her good computer habits.

* Keep your computer in an open area - If your computer is in a high-traffic area, you will be able to easily monitor the computer activity. Not only does this accessibility deter a child from doing something she knows she's not allowed to do, it also gives you the opportunity to intervene if you notice a behavior that could have negative consequences.

* Set rules and warn about dangers - Make sure your child knows the boundaries of what she is allowed to do on the computer. These boundaries should be appropriate for the child's age, knowledge, and maturity, but they may include rules about how long she is allowed to be on the computer, what sites she is allowed to visit, what software programs she can use, and what tasks or activities she is allowed to do. You should also talk to children about the dangers of the internet so that they recognize suspicious behavior or activity. The goal isn't to scare them, it's to make them more aware.

* Monitor computer activity - Be aware of what your child is doing on the computer, including which web sites she is visiting. If she is using email, instant messaging, or chat rooms, try to get a sense of who she is corresponding with and whether she actually knows them.

* Keep lines of communication open - Let your child know that she can approach you with any questions or concerns about behaviors or problems she may have encountered on the computer.

* Consider partitioning your computer into separate accounts - Most operating systems (including Windows XP, Mac OS X, and Linux) give you the option of creating a different user account for each user. If you're worried that your child may accidentally access, modify, and/or delete your files, you can give her a separate account and decrease the amount of access and number of privileges she has.

If you don't have separate accounts, you need to be especially careful about your security settings. In addition to limiting functionality within your browser (see Evaluating Your Web Browser's Security Settings for more information), avoid letting your browser remember passwords and other personal information (see Browsing Safely: Understanding Active Content and Cookies). Also, it is always important to keep your virus definitions up to date (see Understanding Anti-Virus Software).

* Consider implementing parental controls - You may be able to set some parental controls within your browser. For example, Internet Explorer allows you to restrict or allow certain web sites to be viewed on your computer, and you can protect these settings with a password. To find those options, click Tools on your menu bar, select Internet Options..., choose the Content tab, and click the Enable... button under Content Advisor.

There are other resources you can use to control and/or monitor your child's online activity. Some ISPs offer services designed to protect children online. Contact your ISP to see if any of these services are available. There are also special software programs you can install on your computer. Different programs offer different features and capabilities, so you can find one that best suits your needs. The following web sites offer lists of software, as well as other useful information about protecting children online:

o GetNetWise - http://kids.getnetwise.org/ - Click Tools for Families to reach a page that allows you to search for software based on characteristics like what the tool does and what operating system you have on your computer.

o Yahooligans! Parents' Guide - http://yahooligans.yahoo.com/parents/ - Click Blocking and Filtering under Related Websites on the left sidebar to reach a list of software.

Authors: Mindi McDowell, Allen Householder
Copyright 2005 Carnegie Mellon University

This tip is available at http://www.us-cert.gov/cas/tips/ST05-002pr.html

===========================================================

My Blog References:
http://anil-identity.blogspot.com/2007/12/keep-kids-safe-on-internet.html

Saturday, January 19, 2008

Sitemap protocol from Google makes eGovernment Possible

A few months back, I had made a presentation at the W3C Workshop on eGovernment and the Web in Washington DC. Well, my memories of this workshop was not only that I made a presentation to many of the policy makers from the UK and US governmental agencies, I also had the privilege of sitting beside Sir Tim Berners-Lee at the workshop for a few hours (I did have some discussion off-line on web security with him). Summary of my presentation is here.


The reason I am broaching this topic again is that I had the privilege of listening to JL Needham of Google talk about a sitemap protocol to make eGovernment more accessibile to the citizens.

Here is JL Needham testifying at a Senate committee on Sitemap protocol. His testimony talks about how Google Earth and Map is being used by Governmental agencies. Interesting insight into how web 2.0 is shaping the eGovernment information.

Thursday, January 17, 2008

Top 10 Security Menaces of 2008

The top 10 Security Menaces of 2008

1. Browser Exploits
2. Botnets
3. Espionage via Targeted Phishing
4. Mobile Devices and VoIP
5. Insider Attacks
6. Identity Theft via Persistent Bots
7. Increasingly Malicious Spyware
8. Web 2.0/Web Application Exploits
9. Blended Approaches to Phishing
10. Infected Consumer Devices

Source: The SANS Institute, January 2008

The summary is that "Cosumerized Technology" has become the most dangerous. Surprised?

Placing better attack tools on trusted sites is giving attackers a huge advantage over the unwary public.


Attacks on VoIP systems are on the horizon and may surge in 2008. VoIP phones and the IP PBXs have had numerous published vulnerabilities. Attack tools exploiting these vulnerabilities have been written and are available on the Internet. In short, the VoIP attack surface is enormous.


Tax filing scams and scams based on the U.S. Presidential elections will be widely used this year, and many of them will succeed.

Wednesday, January 16, 2008

Effectiveness of the SSL Padlock on your browser

When you perform an e-commerce transaction or provide PII (personally identifiable information) to a website, you typically look for two clues on the website - one that the url starts with https and the other a PADLOCK on the user agent. Certain browsers such as Mozilla Firefox change the color of the location bar. Now if these two clues exist, you feel certain that there will be no Man-In-The-Middle (MITM) attacks and your information will not be compromised.

But, have you wondered from an internet security perspective, how effective these visual cues are?

Here is an excellent research article from Canadian Researchers, Tara Whalen and Kori M. Inkpen who are the faculty of Computer Science at the Dalhousie University in Halifax, Canada. The article is titled, "Gathering Evidence: Use of Visual Security Cues in Web Browsers".

Let me point to some very key observations from this research:
Given the potential consequences of exposing
banking passwords and credit cards, users are understandably
concerned about the risks of online transactions.
People must be given the ability to discover and
understand security information when using the web.
The overall goal of this research is to develop feedback
that clearly informs users about security without overburdening
them with distractions.


Sixteen participants (10 female and 6 male) took
part in the study. Nine participants worked for the university
(faculty or staff), and seven were students.


Bank sign-in: Fifteen participants (out of 16)
thought that the bank sign-in page was secure. The one
person who thought it was insecure based their decision
on lack of clear security statements on the bank’s information
page. None of the participants used the certificate
data to conclude the connection was insecure.


Our research in visual security cues discovered information
that can be applied to browser design and
evaluation. In summary, we found that
• the lock icon is the browser security cue that is
most often looked at, but few interact with it;
• some experienced web users do not take any
notice of browser security cues;
• small browser icons can be easily misidentified
or confused, especially given the nonstandard
layouts among browsers;
certificates as sources of information are seldom
used and rarely understood; and
• people tend to stop looking for security information
after they have signed into a site.


The important conclusion that I want to drive in this blog post is that security cues are necessary but not sufficient to provide an overall sense of trust on the Internet to the users.

The Web Security Context working group at the W3C is working hard with security experts, Browser Implementors, research, Anti-phishing and usability experts and their recommendation (work in progress) is available at:
Web Security Context: Experience, Indicators, and Trust

Now do not tell me that the padlock was all that you needed to assure you that a particular website was secure to interact with.

Additionally, you should know that the SSL padlock can be spoofed. Another report on this.

Fake Mac Cleaning Tool 'MacSweeper' menace

US-CERT is reporting the growing menace of a cleaning software tool called as "MacSweeper" that is circulating around the world. This is rogue software and should not be installed.

The full entry is here on US-CERT.

It is really appalling to see so many fake software tools frequenting the cyberspace, harboring on people's fears and ignorance.

UPDATE: The following site talks more on this in depth.
http://blog.iantivirus.com/2008/01/deeper-look-on-macsweeper.html

Tuesday, January 15, 2008

XSS using Flash is a growing menace

Jeremiah Grossman has alerted the world on a growing menace of XSS (Cross-site scripting) using FLASH.

Rich Cannings has authored a paper on this which is freely available: XSS Vulnerabilities in Common Shockwave Flash Files

Critical vulnerabilities exist in a large number of widely used web authoring tools that automatically generate Shockwave Flash (SWF) files, such as Adobe (r) Dreamweaver (r), Adobe Acrobat (r) Connect (tm) (formerly Macromedia Breeze), InfoSoft FusionCharts, and Techsmith Camtasia. The flaws render websites that host these generated SWF files vulnerable to Cross-Site Scripting (XSS).

Wednesday, January 9, 2008

web.xml security constraints help

web.xml security-constraints form the cornerstone of web security for Java Enterprise Applications.

I would like to give out some examples of security-constraints that mean different things:

Excluded Resources:

<security-constraint>
<display-name>excluded</display-name>
<web-resource-collection>
<web-resource-name>No Access</web-resource-name>
<url-pattern>/excluded/*</url-pattern>
<url-pattern>/restricted/get-only/excluded/*</url-pattern>
<url-pattern>/restricted/post-only/excluded/*</url-pattern>
<url-pattern>/restricted/any/excluded/*</url-pattern>

</web-resource-collection>
<web-resource-collection>
<web-resource-name>No Access</web-resource-name>
<url-pattern>/restricted/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint />
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

In this case, because of the excluding auth-constraint element (shown in BOLD), all the url patterns shown in italics will be excluded from ANY access. Nobody will be able to access these resources.

Unchecked Resources:

<security-constraint>
<web-resource-collection>
<web-resource-name>All Access</web-resource-name>
<url-pattern>/unchecked/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>


In this case, we are saying that the url pattern in italics for the http methods declared (HEAD,GET,POST etc), access should not be checked. The key here is the missing auth-constraint element.

Restricted GET operation:

<security-constraint>
<display-name>Restricted GET</display-name>
<web-resource-collection>
<web-resource-name>Restricted Access - Get Only</web-resource-name>
<url-pattern>/restricted/get-only/*</url-pattern>
<http-method>GET</http-method>

</web-resource-collection>
<auth-constraint>
<role-name>GetRole</role-name>
</auth-constraint>

<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

In this case, we declare that the GET operation on the url pattern in italics can be performed only by a caller with "GetRole" role.

Reference: http://java.dzone.com/articles/understanding-web-security

Saturday, January 5, 2008

Customer access scenario : XACML Request 1 and Response 1

The Data Values for the request message are in the following table:























































Variable Name Value urn
Username “John Smith” urn:xacml:2.0:interop:example:subject:user name
Password “somepwd” (No urn: Not passed through to az, consumed by auth)
CustomerId “123456” urn:oasis:names:tc:xacml:1.0:subject:subject-id
ResourceApplName “CustomerAccount” urn:oasis:names:tc:xacml:1.0:resource:resource-id
Action “ViewAccount” urn:oasis:names:tc:xacml:1.0:action:action-id
ResourceOwnerId “123456” urn:xacml:2.0:interop:example:resource:owner id
ResourceOwnerName “John Smith” urn:xacml:2.0:interop:example:resource:owner name
ResourceAcctStatus “Active” urn:xacml:2.0:interop:example:resource:account status



The request to a PDP is:


<?xml version="1.0" encoding="UTF-8"?>
<xacml-context:Request
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
<Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
<AttributeValue>123456</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:subject:user-name"
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
<AttributeValue>John Smith</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>CustomerAccount</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>123456</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:resource:owner-name"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>John Smith</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Active</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>ViewAccount</AttributeValue>
</Attribute>
</Action>
<Environment/>
</xacml-context:Request>


The response from the PDP should be :

<?xml version="1.0" encoding="UTF-8"?>
<xacml-context:Response
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
<Result>
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
<StatusMessage>Success</StatusMessage>
<StatusDetail/>
</Status>
<xacml:Obligations
xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
<xacml:Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Permit"/>
<xacml:Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Permit"/>
<xacml:Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Permit"/>
</xacml:Obligations>
</Result>
</xacml-context:Response>

XACML PolicySet (Root Policy Set for all Queries)

Authorization Decision

The following scenarios will be made as examples of operation of the Authorization Use Case.
The Authorization Decision scenarios are governed by XACML policies that apply the following rules:
Rule 1: a customer, identified by their customer-id, can only view an account for which they are the owner and for an account that has an active status.
Rule 2: a customer can only make a purchase up to the value of the credit line and the trade limit in their account, or, if the credit line is exceeded then the customer must request a credit extension approval from the account manager, and, if the trade limit is exceeded then the customer must request a trade approval from the account manager.
Rule 3: a customer can only make a sale of quantities of stocks that exist in their account that have no restrictions on sales.
Rule 4: an account manager can only approve a trade on a customer account if the acct manager is the designated manager of that account.
Rule 5: an account manager can only approve trades on the account that the customer has requested, in particular, only the quantities and particular stocks that the customer has designated.
Rule 6: an account manager can make a trade on behalf of a customer only if there is a valid customer-supplied authorization code (such as from a real time smart card password generator that the customer has access to when phoning in the order).




<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:xacml:2.0:interop:example:root-policy-set"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Description>
Root PolicySet to begin all queries.
</Description>
<Target/>
<PolicySet
PolicySetId="urn:xacml:2.0:interop:example:policysetid:root01"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Description>
Policy for evaluating CustomerAccount/ViewAccount requests
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>ViewAccount</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="urn:xacml:2.0:interop:example:policyid:01"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>
XACML 2.0 Interop Example Policy 01: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target/>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:01">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</VariableDefinition>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:01"
Effect="Permit">
<Description>
XACML 2.0 Interop Example Rule 01: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount is application being accessed -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>ViewAccount</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:01"/>
</Condition>
</Rule>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:deny01" Effect="Deny">
<Description>
This Policy is permit-overrides, therefore if a rule above evaluated to
Permit this Rule will be skipped. However, if no Permit was obtained, this
Rule evaluates to true and so produces a Deny. Therefore evaluation of this
Policy results in either a Permit or Deny which is the intended effect.
</Description>
<Target/>
</Rule>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Deny"/>
</Obligations>
</Policy>
</PolicySet>
<PolicySet
PolicySetId="urn:xacml:2.0:interop:example:policysetid:root02"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Description>
Policy for evaluating CustomerAccount/Buy requests
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Buy</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicySetId="urn:xacml:2.0:interop:example:policysetid:01"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Description>
Policyset to evaluate trade-limit and credit-ext restrictions
</Description>
<Target/>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="urn:xacml:2.0:interop:example:policyid:02"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>
XACML 2.0 Interop Example Policy 02: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
Only allow trades that have value within credit-line and trade-limit restrictions.
</Description>
<Target/>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:01.2">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</VariableDefinition>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:02">
<!-- Function to evaluate: -->
<!-- ((buy-num-shares x buy-offer-price) lt -->
<!-- (credit-line - current-credit) ) and -->
<!-- ((buy-num-shares x buy-offer-price) lt trade-limit) -->
<!-- If both the above expressions true, then Request within limits -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId=
"urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:credit-line"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:current-credit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
</Apply>
<Apply FunctionId=
"urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:trade-limit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
</Apply>
</VariableDefinition>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:02"
Effect="Permit">
<Description>
XACML 2.0 Interop Example Rule 02: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Buy</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:01.2"/>
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:02"/>
</Apply>
</Condition>
</Rule>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:deny02" Effect="Deny">
<Description>
This Policy is permit-overrides, therefore if a rule above evaluated to
Permit this Rule will be skipped. However, if no Permit was obtained, this
Rule evaluates to true and so produces a Deny. Therefore evaluation of this
Policy results in either a Permit or Deny which is the intended effect.
</Description>
<Target/>
</Rule>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Deny"/>
</Obligations>
</Policy>
<PolicySet
PolicySetId="urn:xacml:2.0:interop:example:policysetid:06"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy for picking up trade-limit or credit-ext obligations
</Description>
<Target/>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="urn:xacml:2.0:interop:example:policyid:03"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>
XACML 2.0 Interop Example Policy 03: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
Only allow trades that have value exceeding trade-limit
and req-trade-approval = true.
</Description>
<Target/>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:01.3">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</VariableDefinition>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:03">
<!-- TBD: Function to evaluate: -->
<!-- buy-num-shares x buy-offer-price gt trade-limit, -->
<!-- AND req-trade-approval = true -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:trade-limit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>true</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:req-trade-approval"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</VariableDefinition>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:03"
Effect="Permit">
<Description>
XACML 2.0 Interop Example Rule 03: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Buy</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:01.3"/>
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:03"/>
</Apply>
</Condition>
</Rule>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:trade-approval"
FulfillOn="Permit"/>
</Obligations>
</Policy>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="urn:xacml:2.0:interop:example:policyid:04"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>
XACML 2.0 Interop Example Policy 04: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
Only allow trades that have value exceeding credit-limit
and req-credit-ext-approval = true.
</Description>
<Target/>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:01.4">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</VariableDefinition>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:04">
<!-- TBD: Function to evaluate: -->
<!-- ( buy-num-shares x buy-offer-price ) gt -->
<!-- ( credit-line - current-credit ) ) -->
<!-- AND req-credit-ext-approval = true -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:credit-line"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:current-credit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>true</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId=
"urn:xacml:2.0:interop:example:subject:req-credit-ext-approval"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</VariableDefinition>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:04"
Effect="Permit">
<Description>
XACML 2.0 Interop Example Rule 04: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the Buy action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Buy</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:01.4"/>
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:04"/>
</Apply>
</Condition>
</Rule>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:credit-ext-approval"
FulfillOn="Permit"/>
</Obligations>
</Policy>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="urn:xacml:2.0:interop:example:policyid:05"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Description>
XACML 2.0 Interop Example Policy 05: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
Disallow trades that have value exceeding a limit without the associated
Request for approval = true.
</Description>
<Target/>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:01.5">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</VariableDefinition>
<VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:05">
<!-- TBD: Function to evaluate: -->
<!-- ( ( ( buy-num-shares x buy-offer-price ) gt -->
<!-- ( credit-line - current-credit ) ) AND -->
<!-- ( req-credit-ext-approval == false ) ) -->
<!-- OR ( buy-num-shares x buy-offer-price gt trade-limit, -->
<!-- AND req-trade-approval == false ) -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:credit-line"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:current-credit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>false</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId=
"urn:xacml:2.0:interop:example:subject:req-credit-ext-approval"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:trade-limit"
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>false</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:subject:req-trade-approval"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</Apply>
</VariableDefinition>
<Rule RuleId="urn:xacml:2.0:interop:example:ruleid:05"
Effect="Deny">
<Description>
XACML 2.0 Interop Example Rule 05: Only allow a customer whose id matches the
account owner-id to access the account and only if the account status is active.
</Description>
<Target>
<!-- This rule permits access to CustomerAccount resources -->
<Resources>
<!-- CustomerAccount -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>CustomerAccount</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
<!-- Account must have Active status -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Active</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<!-- This rule only applies to the ViewAccount action -->
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Buy</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:01.5"/>
<VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:05"/>
</Apply>
</Condition>
</Rule>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Deny"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Deny"/>
</Obligations>
</Policy>
<Obligations>
<!-- These obligations tell PEP to provide specific data items to the response -->
<!-- This obligation says provide the xacml:Decision data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusCode data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
FulfillOn="Permit"/>
<!-- This obligation says provide the xacml:StatusMessage data to the response -->
<Obligation
ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
FulfillOn="Permit"/>
</Obligations>
</PolicySet>
</PolicySet>
</PolicySet>
</PolicySet>

Oasis XACML Interoperability Event at the Burton Conference 2007

I want to post the XACML Policy Set (with the individual policies) and the request/responses used during the first Oasis XACML Interoperability Event at the Burton Catalyst Conference in 2007. The policies/requests/responses were generated by Rich Levinson of Oracle (with feedback from the interop participants of course). My intent here is to help out xacml adopters with some real life examples of policies. :)

The complete interop document is here.

Rich's blog post is here.

Listen to a podcast from Gerry Gebel of Burton Group with Hal Lockhart and Rich Levinson.

The Client Research report from Burton is here (requires subscription).

As usual, the 2 secs fame for my name at InfoQ is "XACML finally ready for prime time?".

Thursday, January 3, 2008

Cyber Bullying and the lack of legislation

Parry Aftab has an excellent eye-opening write up on the growing trend of Cyber Bullying and the lack of any legislation for the victims.

One form of harassment that’s on the rise is cyberbullying -- when one young person is targeted by one or more other young persons using interactive technologies. The most common cyberbullying platform in recent years takes place on Web 2.0 networks, like MySpace and YouTube Inc. Cyberbullies use these sites to post real or made-up information designed to embarrass their target and to get others on board. In some cases, online surveys are created to vote for the ugliest, fattest, most unpopular kids in school, post mean comments about them, and display pictures intended to humiliate them.


The need for an increased trust based relationship between parents and children has never been vital as it is now in the modern cyber savvy world.

Read http://anil-identity.blogspot.com/2007/12/keep-kids-safe-on-internet.html

It is a welcome sign when an online social networking site such as Facebook is trying to improve the security of young kids. But how much is really sufficient?
Facebook to Strengthen Child Warnings

Also visit Parry's website at http://wiredsafety.org/

Good job Parry.