[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Alternative to Michiharu's proposal. (fwd)
I can live with it too.
Michiharu
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
Anne Anderson -
Sun Microsystems To: XACML <xacml@lists.oasis-open.org>
<Anne.Anderson@Su cc:
n.COM> Subject: Re: [xacml] Alternative to Michiharu's proposal. (fwd)
2002/10/10 09:18
Please respond to
Anne.Anderson
I can live with it too. Thanks, Polar. -Anne
"bill parducci" <bill.parducci@overxeer.com> wrote:
>Date: Wed, 09 Oct 2002 15:48:42 -0700
>you only need to choose between 'a XACML' and 'an XACML', other than that
i can
>live with it. :o)
>
>b
>
>Polar Humenn wrote:
>> Opps, I noticed a couple nuances when it came back to me as well. I'm
done
>> for the day. A rewording based on Bill's suggestions:
>>
>> 7.1 Use Profile for XACML Request
>>
>! This section describes the use profile for using an XACML PDP in an
>> application environment. This use profile covers the case of a PEP that
is
>> configured to make authorization queries to a single PDP. PEP to
multiple
>> PDP configurations are outside of the scope of this specification.
>>
>> An application functions in the role of the PEP if it guards access to a
>> particular resource and asks the PDP for an access decision. The PEP
that
>> asks the PDP for an access decision SHALL abide by the result of that
>> access decision in the following way:
>>
>> A PEP SHALL allow access to the particular resource ONLY IF a valid
XACML
>> response of "Permit" is returned by the PDP. The PEP SHALL deny access
to
>! the particular resource in all other cases. An XACML response of
"Permit"
>> SHALL be considered valid ONLY IF the PEP understands all of the
>> obligations that may be contained in the response.
>>
>> A PEP that receives a valid XACML response of "Permit" with obligations
>> SHALL be responsible for fulfilling all of those obligations. A PEP that
>! receives a XACML response of "Deny" with obligations SHALL be
responsible
>> for fulfilling all of the obligations that it understands.
>>
>> ---
>>
>> Did I mess anything up?
>>
>> Cheers,
>> -Polar
>
>
>----------------------------------------------------------------
>To subscribe or unsubscribe from this elist use the subscription
>manager: <http://lists.oasis-open.org/ob/adm.pl>
Anne
---------
Anne Anderson Anne.Anderson@Sun.COM
Internet Security Research Group
Sun Labs, Burlington, MA Phone: 781-442-0928
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC