Re: [xacml-dev] Re: [xacml-users] XACML 2.0 Conformance Tests Questions

[Seth Proctor <Seth.Proctor@sun.com>]

On Fri, Apr 25, 2008 at 10:07:23AM -0700, Oleg Gryb wrote:
> [...] 
> To summarize: I think it's a good idea to get all
> attributes resolved before request hits a PDP.

The problem is that this is an impossible task. In all but the most
closed and limited systems, it's a very hard task (in general) to know
all attributes that will be useful for a given request. How do you know
all attributes associated with the given user? How do you know what
policies will apply to the request, which policies will be referenced
as part of evaluation, and therefore which attribute values will be
needed?

Note that evaluation-time attribute resolution does not lock the PDP into
using any specific set of PIPs. On the contrary, the model is designed to
support arbitrary attribute resolution, but at a central point, rather than
making each PEP responsible for this task. If you look (for example) at the
SunXACML codebase, you'll see a generic plugin mechanism which allows for
evaluation-time resolution of attribute values from an arbitrary PIP.

If you want your PDP to be limited to using the attribute values supplied
in an XACML Request instance, that's ok. To pass the test in question you'll
have to decide how to provide the needed value (perhaps by including it
in the request, or by wedging in some other mechanism). Understand, however,
that you're missing a fundemental piece of the model. This is a long-standing
and very powerful aspsect of the model that *everyone* takes advantage of
in running systems.


seth