OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [xacml] Proposed semantics for operations involving INDETERMI NATE


Title: RE: [xacml] Proposed semantics for operations involving INDETERMI NATE

>> The client shouldn't know what the operational errors of the PDP actually
>> are. It it does, it breaks encapsulation of the PDP, and causes the
>> clients of a PDP to worry about a lot more than Access Decisions, but also
>> problems with the PDP.

>indeed! we break encapsulation at this level and we abandon all hope of
>interoperability (we teeter perilously close to the abyss as it is...)

Completely disagree.  Every single security system differentiates between,
say, "incorrect password" and "service not available".

>> I personally would like to restrict the policy to only evaluate the
>> evidence in the Context, and therefore all data is considered
>> available.
>> Then there is no question, and no Errors.

>agreed.

Not possible.  It is not safe to accept evidence from a client in many cases - nor
is it scalable in performance - most extension function will do some sort of access
to some "evidence" repository directly from PDP or compute them (like TimeOfDay - from
system clock, where you want to perform sanity check - against a different time stamp in
evidence for example).  That's the whole point of it.  Such links may be broken. It is
different from having no rule - fundamentally different.

In fact what we are discussing is that functions in the constraint may "throw exception", beside
returning "true" or "false".  I think we do need clear protocol to communicate that - we should not
lump together a case when no applicable rule was found with the case of database connection timed out..



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC