xacml-dev message

Subject: Re: [xacml-dev] remote PDP

From: Seth Proctor <Seth.Proctor@Sun.COM>
To: Argyn <argyn@cox.net>
Date: Sun, 10 Oct 2004 16:17:54 -0400

On Oct 10, 2004, at 4:04 PM, Argyn wrote:
> On Sun, 10 Oct 2004 15:31:41 -0400, Seth Proctor 
> <Seth.Proctor@Sun.COM> wrote:
>> If you're willing to pass those attributes in a Request, have them 
>> available through some interface, or do a multi-phased exchange, then 
>> you've got no problems.
>
> actually, this multi-phased exchange is what I'm thinking about. I 
> don't know in advance what's required. So, if PDP needs more 
> attributes it has to get them from application's PEP. it's more 
> network traffic, and slows down the decision making.

You've hit right on the tradeoff here. You get an easy way for the PDP 
to do a partial evaluation and tell the PEP what it needs to provide 
next, but it's possibly much more expensive. If you want to get fancy, 
your PEP can keep track of which attributes were needed for a given 
request, and remember so that in the future you include all attributes 
that are probably needed in the initial request. But yes, generally, 
it's a tradeoff.

seth

References:
- RE: [xacml-dev] remote PDP
  - From: "Kuketayev, Argyn" <argyn_kuketayev@fanniemae.com>
- RE: [xacml-dev] remote PDP
  - From: Seth Proctor <Seth.Proctor@Sun.COM>
- Re: [xacml-dev] remote PDP
  - From: Bill Parducci <bparducci@gluecode.com>
- Re: [xacml-dev] remote PDP
  - From: Seth Proctor <Seth.Proctor@Sun.COM>
- Re: [xacml-dev] remote PDP
  - From: Bill Parducci <bparducci@gluecode.com>
- Re: [xacml-dev] remote PDP
  - From: Seth Proctor <Seth.Proctor@Sun.COM>
- Re: [xacml-dev] remote PDP
  - From: Argyn <argyn@cox.net>
- Re: [xacml-dev] remote PDP
  - From: Seth Proctor <Seth.Proctor@Sun.COM>
- Re: [xacml-dev] remote PDP
  - From: Argyn <argyn@cox.net>