Re: [xacml] Alternative to Michiharu's proposal. (fwd)

[Polar Humenn <polar@syr.edu>]

On Wed, 9 Oct 2002, bill parducci wrote:

> you only need to choose between 'a XACML' and 'an XACML', other than
> that i can live with it. :o)

Looks like by voting, the "an"s have it.

>
> b
>
> Polar Humenn wrote:
> > Opps, I noticed a couple nuances when it came back to me as well. I'm done
> > for the day. A rewording based on Bill's suggestions:
> >
> > 7.1 Use Profile for XACML Request
> >
> ! This section describes the use profile for using an XACML PDP in an
> > application environment. This use profile covers the case of a PEP that is
> > configured to make authorization queries to a single PDP. PEP to multiple
> > PDP configurations are outside of the scope of this specification.
> >
> > An application functions in the role of the PEP if it guards access to a
> > particular resource and asks the PDP for an access decision. The PEP that
> > asks the PDP for an access decision SHALL abide by the result of that
> > access decision in the following way:
> >
> > A PEP SHALL allow access to the particular resource ONLY IF a valid XACML
> > response of "Permit" is returned by the PDP. The PEP SHALL deny access to
> ! the particular resource in all other cases. An XACML response of "Permit"
> > SHALL be considered valid ONLY IF the PEP understands all of the
> > obligations that may be contained in the response.
> >
> > A PEP that receives a valid XACML response of "Permit" with obligations
> > SHALL be responsible for fulfilling all of those obligations. A PEP that
> ! receives a XACML response of "Deny" with obligations SHALL be responsible
> > for fulfilling all of the obligations that it understands.
> >
> > ---
> >
> >  Did I mess anything up?
> >
> > Cheers,
> > -Polar
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>