[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Re: env attributes
On Wed, 23 Oct 2002, Anne Anderson - Sun Microsystems wrote: > Except that I believe we say explicitly that "current-time", etc. is the > time at the PDP. How is the PEP supposed to know the time at the PDP? > Maybe we need current-PDP-time, etc. and current-PEP-time, etc. :-) The PEP is not supposed to know the time at the PDP. The PEP should fill those values with the time relavant to the access decision. The XACML writer expects those values to correspond with the time for which the access decision applies. -Polar > > Anne > > "Polar Humenn" <polar@syr.edu> wrote: > >Date: Wed, 23 Oct 2002 15:08:56 -0400 (EDT) > > > >I should believe that values for the current-time, current-date, and > >current-dateTime environmental attributes should be provided by the PEP, > >not the PDP. > > > >How can one force temporal evaluation schemes on the PDP for it to come up > >with values for these attributes? One has no control over the evaluation, > >especially if different pieces of the policy get evaluated at different > >times. It is completely up to an implementation. > > > >The client of the PDP, (i.e. a PEP) should be providing values for these > >attributes in the request context. The PDP should NOT supply them. > >Otherwise, you would get different answers for the same inputs given by > >the client (i.e. a PEP). > > > >In fairness to temporal reasoning, however, it is the onerous of the > >client, i.e. PEP, in accordance with XACML semantics, to give these > >attributes values that are considered valid with the temporal concerns of > >an access decision. > > > >Basic upshot: The current-time, current-date, and current-dateTime should > >be required to come from the request context. > > > >Cheers, > >-Polar > > > >On Wed, 23 Oct 2002, Seth Proctor wrote: > > > >> > >> In section 10.3.5 of 18d, the spec calls out three attribute identifiers that > >> the PDP must be able to handle specially (these are current-time, > >current-date, > >> and current-dateTime). Is the idea that these would appear in an AD in a > >> policy, and the PDP is supposed to know to resolve these values itself rather > >> than looking in the Request? I think that's the idea, but it's not spelled > >> out explicitly in the text. > >> > >> Also, these go on that list I started earlier of attributes that should be > >> defined to always be of a particular type: > >> > >> subject-category string or URI > >> resource-id string or URI > >> scope string > >> current-time ??? > >> current-date date > >> current-dateTime dateTime > >> > >> Since each of these identifiers must be special-cased by the PDP, they must > >> always be of a known type. There may be others that should be on this list, > >> but most of the other identifiers are not treated in any special way by the > >> PDP, so the type information is transparent to the PDP. > >> > >> > >> seth > >> > > > > > >---------------------------------------------------------------- > >To subscribe or unsubscribe from this elist use the subscription > >manager: <http://lists.oasis-open.org/ob/adm.pl> > > Anne > ------ > Anne Anderson Anne.Anderson@Sun.COM > Sun Microsystems Laboratories > Burlington, MA 781-442-0928 >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC