[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Discussion summary and revised post-condition proposa l
i think that you will find that this opens up a can of worms that we will not be able to close. as a simpleton, i think of it this way: PDPs 'decide', PEPs 'do'; therefore any action that would show up in an XACML policy would be the responsibility of the PEP. (which is why PDP logging is out of scope for us in my mind). b Carlisle Adams wrote: > Hi Michiharu, > > Thank you (and the other members of the sub-sub-committee) for your > careful write-up! I have one small comment. > > ---------- > *From:* Michiharu Kudoh[SMTP:KUDO@jp.ibm.com] > *Sent:* Thursday, February 21, 2002 5:27 AM > *To:* XACML TC > *Subject:* [xacml] Discussion summary and revised > post-condition proposal > > 3.3 Return provisions to PEP > PDP just returns the resolved provisions back to PEP. We assume > here that > PDP is not configured to support provisions. PDP-supported > provision is > outside the scope of XACML. > > > Alternatively, we could take the following position. > > The PDP gathers together all the resolved obligations (i.e., all the > obligations that are relevant, given the evaluation of the policy). If > it is able to support any of those obligations itself, it will do so. > Those that it cannot support, it returns to the PEP in the > AuthorizationDecisionWithObligationStatement. > > That is, rather than saying that the PDP is not configured to support > obligations, we leave it entirely open. It may or may not support > obligations; that is an implementation choice. However, any > policy-required obligations that it cannot support must be passed along > to the PEP. > > Carlisle. >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC