OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml] Re: env attributes


Except that I believe we say explicitly that "current-time", etc. is the
time at the PDP.  How is the PEP supposed to know the time at the PDP?
Maybe we need current-PDP-time, etc. and current-PEP-time, etc. :-)

Anne

"Polar Humenn" <polar@syr.edu> wrote:
>Date: Wed, 23 Oct 2002 15:08:56 -0400 (EDT)
>
>I should believe that values for the current-time, current-date, and
>current-dateTime environmental attributes should be provided by the PEP,
>not the PDP.
>
>How can one force temporal evaluation schemes on the PDP for it to come up
>with values for these attributes? One has no control over the evaluation,
>especially if different pieces of the policy get evaluated at different
>times. It is completely up to an implementation.
>
>The client of the PDP, (i.e. a PEP) should be providing values for these
>attributes in the request context. The PDP should NOT supply them.
>Otherwise, you would get different answers for the same inputs given by
>the client (i.e. a PEP).
>
>In fairness to temporal reasoning, however, it is the onerous of the
>client, i.e. PEP, in accordance with XACML semantics, to give these
>attributes values that are considered valid with the temporal concerns of
>an access decision.
>
>Basic upshot: The current-time, current-date, and current-dateTime should
>be required to come from the request context.
>
>Cheers,
>-Polar
>
>On Wed, 23 Oct 2002, Seth Proctor wrote:
>
>>
>> In section 10.3.5 of 18d, the spec calls out three attribute identifiers that
>> the PDP must be able to handle specially (these are current-time,
>current-date,
>> and current-dateTime). Is the idea that these would appear in an AD in a
>> policy, and the PDP is supposed to know to resolve these values itself rather
>> than looking in the Request? I think that's the idea, but it's not spelled
>> out explicitly in the text.
>>
>> Also, these go on that list I started earlier of attributes that should be
>> defined to always be of a particular type:
>>
>>   subject-category       string or URI
>>   resource-id            string or URI
>>   scope                  string
>>   current-time           ???
>>   current-date           date
>>   current-dateTime       dateTime
>>
>> Since each of these identifiers must be special-cased by the PDP, they must
>> always be of a known type. There may be others that should be on this list,
>> but most of the other identifiers are not treated in any special way by the
>> PDP, so the type information is transparent to the PDP.
>>
>>
>> seth
>>
>
>
>----------------------------------------------------------------
>To subscribe or unsubscribe from this elist use the subscription
>manager: <http://lists.oasis-open.org/ob/adm.pl>

Anne
------
Anne Anderson          Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
Burlington, MA         781-442-0928



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC