[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] Proposed semantics for operations involving INDETERMI NATE
>> The client shouldn't know what the operational errors of the PDP actually
>> are. It it does, it breaks encapsulation of the PDP, and causes the
>> clients of a PDP to worry about a lot more than Access Decisions, but also
>> problems with the PDP.
>indeed! we break encapsulation at this level and we abandon all hope of
>interoperability (we teeter perilously close to the abyss as it is...)
Completely disagree. Every single security system differentiates between,
say, "incorrect password" and "service not available".
>> I personally would like to restrict the policy to only evaluate the
>> evidence in the Context, and therefore all data is considered
>> available.
>> Then there is no question, and no Errors.
>agreed.
Not possible. It is not safe to accept evidence from a client in many cases - nor
is it scalable in performance - most extension function will do some sort of access
to some "evidence" repository directly from PDP or compute them (like TimeOfDay - from
system clock, where you want to perform sanity check - against a different time stamp in
evidence for example). That's the whole point of it. Such links may be broken. It is
different from having no rule - fundamentally different.
In fact what we are discussing is that functions in the constraint may "throw exception", beside
returning "true" or "false". I think we do need clear protocol to communicate that - we should not
lump together a case when no applicable rule was found with the case of database connection timed out..
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC