Re: [plasma] Plasma Document Updates

Ed Simon <> Fri, 07 December 2012 02:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 29C5C21E8039 for <>; Thu, 6 Dec 2012 18:27:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.998
X-Spam-Status: No, score=-5.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LHWZx2nsWk+m for <>; Thu, 6 Dec 2012 18:27:30 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 9482521E8043 for <>; Thu, 6 Dec 2012 18:27:30 -0800 (PST)
Received: from [] by id CA/3B-14264-21451C05; Fri, 07 Dec 2012 02:27:30 +0000
X-Originating-IP: []
X-StarScan-Version:; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 3713 invoked from network); 7 Dec 2012 02:27:29 -0000
Received: from (HELO ( by with AES128-SHA encrypted SMTP; 7 Dec 2012 02:27:29 -0000
Received: from E10MB3.tituscorp.local ([fe80::84f4:cfbe:f32f:9a5]) by E10CH1.tituscorp.local ([]) with mapi id 14.03.0099.000; Thu, 6 Dec 2012 21:27:27 -0500
From: Ed Simon <>
To: Jim Schaad <>, "" <>
Thread-Topic: [plasma] Plasma Document Updates
Thread-Index: Ac3TfgPXLLtPG003SzOgdHO5bPZNBQAiVlKQ
Date: Fri, 07 Dec 2012 02:27:26 +0000
Message-ID: <DCD8C7A5A8B3E844AA2E2CBE327CDC92013DEF73@E10MB3.tituscorp.local>
References: <014001cdd3f3$af7c3940$0e74abc0$>
In-Reply-To: <014001cdd3f3$af7c3940$0e74abc0$>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [plasma] Plasma Document Updates
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The PoLicy Augmented S/Mime \(plasma\) bof discussion list." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 Dec 2012 02:27:33 -0000

Thanks Jim,

1. I agree about switching from <WS-Token> to <RoleToken>.

2. I agree with OctetString to accommodate compressed XML (e.g. EXI).

3. Re combining algorithms, my opinion is that we should use the full XACML combining algorithm identifiers and, of course, clients would provide friendly names/interfaces (e.g. "AND" instead of "urn:oasis:xacml:...:deny-overrides"). Re which combining algorithms are supported, could PLASMA
 * for at least v1, define a limited set (just "AND" and "OR"); or
 * require all mandatory XACML-specified combining algorithms. 

4. Re specifying policy options, maybe borrowing the XACML <Target> element would be sensible; would not PLASMA policy options basically equivalent to AND'ing a GetCMSToken <PolicySet>/<Policy>/<Target> with the server's <PolicySet>/<Policy>/<Target>? (Not that the server's policy engine has to be XACML, but even in other policy languages, the "AND'ing of targets" concept would still apply.)

From: [] on behalf of Jim Schaad []
Sent: Thursday, December 06, 2012 15:53
Subject: [plasma] Plasma Document Updates

I am currently in the middle of doing a large revision of the two documents
that I am the primary author on.  In the process of doing this update, I
have a few issues that I would like people to comment on.

1.   I am considering changing the element "WS-Token" in
"AuthenticationType".  Since the only place where this is currently being
used is for dealing with role tokens, I believe it would be useful to change
the name of the element to "RoleToken" as this would make it clearer what
goes here.

2.  In the CMS document I have change the label from being an ASN.1 encoded
string to being the XML encoded string.  However, I am wondering if we
should make this an OCTET STRING which holds the XML encoded string so that
we can allow for compression to occur as an optional method of encoding it.
Does anyone see any problems with this?

 I have been thinking about the suggested on renaming from Ed and looking at
XAML.  I have decided to use Policy and PolicySet as the replacements for
Label/Leaf in this update.  However there are still some things that I have
not really made any conclusions for.

3.  Should we switch from using a simple string, or augment the simple
string, by allowing the XACML PolicyCombiningAlgId URIs this means that
"urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" and
"and" are the same thing.  There is no equivalent to "except", but it is
also possible this one is a figment of my imagination and there is no real
need for it.   One can do this in XACML by combining default-permit and
default-deny policies but I don't know if it is needed in real life or not.
The benefit of allowing the additional URIs is that there are a set of
policy combining algorithms already defined by XACML that should correspond
to things that are real and it makes it easier to augment the set of
combining strings.  The downside is that URIs are longer than the set of
short strings - does anyone have opinions on this?  The other downside of
using URIs is that the server may need to give the list of supported
combining algorithms to the client or we need to have an error for saying
that a combining algorithm is not supported.

4.  I am still working my way through the ways of specifying policy options
and have not made any decisions for myself let along ones that I would be
willing to impose on the document.  Any other options and opinions that
anyone wants to put in as input, I would be more than willing to get that
input at this time.


plasma mailing list