- From: Laura Arribas via cvs-syncmail <cvsmail@w3.org>
- Date: Wed, 07 Apr 2010 09:23:58 +0000
- To: public-dap-commits@w3.org
Update of /sources/public/2009/dap/policy In directory hutz:/tmp/cvs-serv1663 Modified Files: Overview.html Log Message: ACTION-152 Edit policy framework, reviewing BONDI material and editorial update. Index: Overview.html =================================================================== RCS file: /sources/public/2009/dap/policy/Overview.html,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- Overview.html 30 Mar 2010 13:37:20 -0000 1.2 +++ Overview.html 7 Apr 2010 09:23:55 -0000 1.3 @@ -42,7 +42,7 @@ security framework. This includes definitions of each of the entities involved in the definition of an access control policy, and a definition of the attributes of each entity that are recognised - and are required to be supported. This specification uses [[!XACML]]. + and are required to be supported. This specification uses [[!XACML]] (*** XACML MISSING REF ENTRY OASIS eXtensible Access Control Markup Language (XACML) Version 2.0 ***). </p> <section id="application-execution-phases"> <h3>Application Execution Phases</h3> @@ -85,10 +85,10 @@ <li>IRI</li> </ul> <p> - Each modifier function (***section link***) defines its result type, and how the function's effect depends on the type of the input. + Each <a href=#modifier-function>modifier function</a> defines its result type, and how the function's effect depends on the type of the input. </p> <p> - Each matching function (***section link***) defines how it depends on the type of its input. + Each <a href=#matching-function>matching function</a> defines how it depends on the type of its input. </p> <p> Where a modifier function or matching function does not specify how it treats an input of a particular type, it implicitly converts the value to a bag of strings before performing its operation. @@ -97,7 +97,7 @@ When evaluating an access control query at a given application Execution Phase, an expression may have undetermined value if one or more of the attributes on which it depends has undetermined value at that execution phase. </p> <p> - For each modifier function (***section link***) and matching function (***section link***), its result for a given set of inputs is determined if and only if all of its inputs are determined. + For each <a href=#modifier-function>modifier function</a> and <a href=#matching-function>matching function</a>, its result for a given set of inputs is determined if and only if all of its inputs are determined. </p> <p> The syntax used for encoding a certificate fingerprint in DAP Security Policy documents is the SDP syntax defined in [[!RFC4572]] without the "fingerprint" scheme, as follows: @@ -132,7 +132,7 @@ The Widget identity type applies to all operations associated with a Widget Resource, or occurring in the execution of a document belonging to a Widget Resource. </p> <p> - Operations occurring in the execution of a remotely hosted document that has been loaded by a Widget (for example in an iframe) use a Website identity (see the next section). + Operations occurring in the execution of a remotely hosted document that has been loaded by a Widget (for example in an iframe) use a <a href=#website-identity>Website identity</a>. </p> <table border="1" summary=""> <caption> <dfn id="widget-subject-attributes-table">Widget Subject Attributes Table</dfn></caption> @@ -292,7 +292,7 @@ <tr> <td>api-feature (*** ref: ****)</td> <td>URI</td> - <td>The IRI identifier of the requested Feature converted to URI as per RFC3987 (*** ref: ***).</td> + <td>The IRI identifier of the requested Feature converted to URI as per RFC3987 [[!IRI]].</td> <td>This uses the same naming scheme as in a widget's <feature> element. See Appendix A (*** change this ref ****). Determined for all applicable application Execution Phases.</td> </tr> <tr> @@ -372,7 +372,7 @@ <tr> <td>bearer-type</td> <td>string</td> - <td>The type of the current network bearer over which a network request will be served, either by request of the application or by default (per the current serving network or the one over which the request will be served, if multiple networks are available). A comma-separated list of one or more of the bearer types given as examples in W3C DCO (*** ref: http://www.w3.org/TR/dcontology/#BearerType ***).</td> + <td>The type of the current network bearer over which a network request will be served, either by request of the application or by default (per the current serving network or the one over which the request will be served, if multiple networks are available). A comma-separated list of one or more of the bearer types given as examples in W3C DCO [[DCONTOLOGY]].</td> <td>Determined in the following Execution Phases: <ul> <li>widget-instantiate</li> @@ -444,12 +444,12 @@ </section> <!-- target --> <section id="decision"> <h3>Decision</h3> - <p>If determined, the result of a <em>rule</em> or <em>policy</em> or <em>policy set</em> is a <em>decision</em>, either “not applicable” or any one of the <em>effects</em> “permit”, “prompt-blanket”, “prompt-session”, “prompt-oneshot” or “deny”. The <em>effects</em> are defined in (ref **** section: Effect ***) + <p>If determined, the result of a <em>rule</em> or <em>policy</em> or <em>policy set</em> is a <em>decision</em>, either “not applicable” or any one of the <a href="#effect"><em>effects</em></a> “permit”, “prompt-blanket”, “prompt-session”, “prompt-oneshot” or “deny”. </p> <p> The result of a <em>rule</em> or <em>policy</em> or <em>policy set</em> may be undetermined under conditions specified for each below. </p> - </section> <!-- decision --> + </section> <!-- decision --> <section id="rule"> <h3>Rule</h3> <p>The <em>condition</em> of a <em>rule</em> specifies extra criteria that need to be matched before the <em>rule</em> becomes applicable. @@ -460,21 +460,21 @@ <p> The AND operator is evaluated as follows: <ul> - <li>is determined and has value “no match” if any input is “no match</li> + <li>is determined and has value “no match” if any input is “no match”</li> <li>otherwise is undetermined if any input is undetermined</li> <li>otherwise is determined and has value “match”</li> </ul> The OR operator is evaluated as follows: <ul> - <li>is determined and has value “match” if any input is “match</li> + <li>is determined and has value “match” if any input is “match”</li> <li>otherwise is undetermined if any input is undetermined</li> - <li>otherwise is determined and has value “no match</li> + <li>otherwise is determined and has value “no match”</li> </ul> </p> </section> <!-- decision --> <section id="policy"> <h3>Policy</h3> - <p>A <em>policy</em> has a <em>target</em>, and a list of zero or more <em>rules</em> combined using a <em>rule-combining algorithm</em>. See section B.19 (**** ref: Combining Algorithm ****) for the combining algorithms. Where a directive attribute query finds more than one applicable directive attribute set, the first one is used. + <p>A <em>policy</em> has a <em>target</em>, and a list of zero or more <em>rules</em> combined using a <a href=#combining-algorithm><em>rule-combining algorithm</em></a>. Where a directive attribute query finds more than one applicable directive attribute set, the first one is used. </p> <p>A <em>policy</em> optionally has a textual description. </p> @@ -490,7 +490,7 @@ <p>The overall security framework is a <em>policy set</em>. </p> <p> - A <em>policy set</em> is a target with a list of zero or more <em>policies</em> and <em>policy sets</em> combined using a <em>policy-combining algorithm</em>. See section B.19 (*** ref: Combining Algorithms ***) for the combining algorithms. Where a directive attribute query finds more than one applicable directive attribute set, the first one is used. + A <em>policy set</em> is a target with a list of zero or more <em>policies</em> and <em>policy sets</em> combined using a <a href=#combining-algorithm><em>policy-combining algorithm</em></a>. Where a directive attribute query finds more than one applicable directive attribute set, the first one is used. </p> <p> A <em>policy set</em> optionally has an id. If an implementation provides a means to provision a security policy fragment to replace an existing one, this id can be used to identify the <em>policy</em> or <em>policy set</em> to replace. No management of ids is mandated, therefore it is recommended that a standardised textual representation of a UUID should be used as the id. @@ -522,7 +522,7 @@ <h4>Globbing Matching Function</h4> <p>True if and only if, for some string in the first input string bag, the entire string matches the glob pattern in some string in the second input string bag. If either input is the empty bag, the result is false. An input of type other than empty bag or string bag is converted to string bag first. </p> - <p>A glob pattern is as described in SUSv3 (**** ref: http://www.unix.org/single_unix_specification/ ****) section 2.13 Pattern Matching Notation but excluding 2.13.3 Patterns Used for Filename Expansion. + <p>A glob pattern is as described in [[!SUSv3]] (**** ref: http://www.unix.org/single_unix_specification/ MISSING REF ENTRY ****) section 2.13 Pattern Matching Notation but excluding 2.13.3 Patterns Used for Filename Expansion. </p> <p>Using this function with a glob pattern of “*” (a single asterisk) is a convenient way to test whether the first input is not an empty bag. </p> @@ -530,9 +530,9 @@ <section id="regular-expression-matching-function"> <h4>Regular Expression Matching Function</h4> - <p>Edit TBD + <p>True if and only if, for some string in the first input string bag, some part of the string matches the regular expression pattern in some string in the second input string bag. If either input is the empty bag, the result is false. An input of type other than empty bag or string bag is converted to string bag first. </p> - <p>This uses the definition of regular expressions in ECMAScript 3rd edition (*** ref: http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-262.pdf ***) + <p>This uses the definition of regular expressions in ECMAScript 3rd edition [[!ECMA-262]]. </p> </section> <!-- regular-expression-matching-function --> </section> <!-- matching-function --> @@ -707,16 +707,90 @@ <section id="schema"> <h3>Schema</h3> <section id="signed-policy"> - <h4><signed-policy></h4> - <p>The root element of a signed policy document is a <signed-policy>. + <h4>The <code><signed-policy></code> Element</h4> + <p>The root element of a signed policy document is a <code><code><signed-policy></code></code>. </p> - <p><signed-policy> contains, in any order, exactly one <signature> element and one or more elements each of which is either <policy-set> or <policy>. + <p><code><signed-policy></code> contains, in any order, exactly one <code><signature></code> element and one or more elements each of which is either <code><policy-set></code> or <code><policy></code>;. </p> + </section> + <section id="signature"> + <h4>The <code><signature></code> Element</h4> + <p>The <code><signature></code> element, as a child of <code><signed-policy></code>, specifies the detached digital signature of the signed policy document as defined in XML Digital Signature [[!XMLDSIG-CORE2]], with the following additional constraints: + </p> + <ul> + <li>the <code><signature></code> element <em title="must" class="rfc2119">must</em> contain one or more valid <Reference> elements;</li> + <li>the URL attribute of each <Reference> element <em title="must" class="rfc2119">must</em> contain a reference to a <code><policy></code>; or <code><policy-set></code> element that is a sibling of the <code><signature></code> element in the same Signed Policy Document;</li> + <li>the <Reference> element <em title="must" class="rfc2119">must not</em> have any <Transform> elements;</li> + <li>the Widget User Agent <em title="must" class="rfc2119">must</em> treat the <code><signed-policy></code> as invalid if it has a child <code><policy></code>; or <code><policy-set></code> element for which there is no <Reference> element.</li> + </ul> + <p> + Processing of the signature is specified in section (*** change ref ***). + </p> + </section> + <section id="policy-set"> + <h4>The <code><policy-set></code> Element</h4> + <p>The root element of a policy document is either a <code><policy-set></code> or a <code><policy></code>;. + <code><policy-set></code> has two possible attributes: + </p> + <ul> + <li>combine, which <em title="must" class="rfc2119">must</em> take a value of "deny-overrides", "permit-overrides" or "first-matching-target". The attribute is optional; if it is omitted, the default value is "deny-overrides";</li> + <li>id, whose value is a textual identifier for the <code><policy-set></code>.</li> + </ul> + <p> + <code><policy-set></code> contains an optional <code><target></code>;, then zero or more <code><policy></code>; and/or <code><policy-set></code> elements. + </p> + </section> + <section id="rule"> + <h4>The <code><rule></code> Element</h4> + <p><code><rule></code> has one possible attribute, effect, which must take a value of "permit", "prompt-blanket", "prompt-session", "prompt-oneshot" or "deny". The attribute is optional; if it is omitted, the default value is "permit". + </p> + <p><code><rule></code> contains an optional <code><condition></code>. + </p> + </section> + <section id="target"> + <h4>The <code><target></code> Element</h4> + <p><code><target></code> contains one or more <code><subject></code> elements. + </p> + </section> + <section id="subject"> + <h4>The <code><subject></code> Element</h4> + <p><code><subject></code> contains one or more <code><subject-match></code> elements. + </p> + </section> + <section id="condition"> + <h4>The <code><condition></code> Element</h4> + <p> + <code><condition></code> has one possible attribute, combine, which must take a value of "and" or "or". The attribute is optional; if it is omitted, the default value is "and". + </p> + <p><code><condition></code> contains one or more elements, each of which is one of <code><condition></code>, <code><subject-match></code>, <code><resource-match></code> or <code><environment-match></code>. + </p> + </section> + <section id="subject-match, resource-match, environment-match"> + <h4>The <code><subject-match></code>, <code><resource-match></code>, <code><environment-match></code> Elements</h4> + <p><code><subject-match></code> represents a condition on a single subject attribute to be matched in a target or condition. <code><resource-match></code> represents a condition on a single resource attribute to be matched in a condition. <code><environment-match></code> represents a condition on a single environment attribute to be matched in a condition. + </p> + <p>The element has up to three (XML) attributes: + </p> + <ul> + <li>(mandatory) attr: the name of the subject, resource or environment (respectively) attribute to check. The attribute name is optionally followed by one of the suffixes ".scheme", ".authority", ".scheme-authority", ".host" or ".path", causing the equivalently named URI modifier function to be applied to the attribute value before matching.</li> + <li>(optional) match: the literal text to match. If this attribute is omitted, then the contents of the element are used instead.</li> + <li>(optional) func: the match function to use. If it is present, it must be one of "equal", "glob" or "regexp". If func is omitted, then the default is "glob".</li> + </ul> + <p>The contents of a <code><subject-match></code>, <code><resource-match></code> or <code><environment-match></code> element represent the value to match, only if the match attribute is absent. If the match attribute is present, then the element contents are ignored. For a <code><subject-match></code>, the contents are PCDATA. For the others, the contents can be any combination of PCDATA, <code><subject-attr></code>, <code><resource-attr></code> and <code><environment-attr></code> elements, giving the literal text to match after expanding any attributes. + </p> + </section> + <section id="subject-attr, resource-attr, environment-attr"> + <h4>The <code><subject-attr></code>, <code><resource-attr></code>, <code><environment-attr></code> Elements</h4> + <p> + Each of these elements represents the value of a subject, resource or environment attribute respectively. + </p> + <p> + The element has one (XML) attribute, attr, giving the name of the attribute to expand. It has no contents. + </p> + </section> + </section> </section> -</section> -</section> - - <section id="example-abuse-policies"> +<section id="example-abuse-policies"> <h2>Example Policies to mitigate Abuse Use Cases</h2> <p> This section outlines some example policies that could be used to deal with abuses of device APIs. @@ -724,16 +798,15 @@ <section id="premium-rate-defence"> <h3>Defending against premium rate abuse</h3> <p>The example assumes that a number of mechanisms have already been defeated in the security chain – the application is trusted and is on the device. If the user (or the policy provider) has stated that they don’t want to call premium rate numbers in the UK: - </p> - <p> + </p> <pre><code> -<target> - <subject> +<code><target></code> + <code><subject></code> <subject-match attr="author-key-root-fingerprint">sha256 ******** root fingerprint of author **** /> </subject> <-- to identify the Identified domain, the same would apply for the Unidentified domain--> </target> <rule effect=one-shot> - <condition> + <code><condition></code> <resource-match attr="dev-cap" match="messaging.*.send" param:recipients="+4409*" func="glob"/> <-- to block UK premium rate numbers --> </condition> </rule> @@ -752,15 +825,15 @@ Clearly, if the widget is prevented from installing, then it cannot call a device API – these functions are shown as a belt and braces example: <pre><code> -<target> - <subject> +<code><target></code>; + <code><subject></code> <subject-match attr="id" match="http://www.maliciouswidget1.org" /> </subject> </target> <rule effect=deny> <condition combine=or> <resource-match attr=widget-install /> - <resource-match attr=widget-instantiate /> + <resource-match attr=widget-instantiate /> <resource-match attr=api-feature match=* /> <resource-match attr=dev-cap match=* /> </condition> @@ -781,13 +854,13 @@ </section> - <section class='appendix'> +<section class='appendix'> <h2>Acknowledgements</h2> <p> The editors would like to extend special thanks to Nokia, OMTP BONDI, and PhoneGap for providing the foundation of the working group's requirements discussion. </p> - </section> +</section> </body> </html>
Received on Wednesday, 7 April 2010 09:24:02 UTC