OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] Attribute's Issuer as string?


Anne,

Thanks for the quick clarification. My old brain remembers now that I identified 
the same issue with SAML some time ago...

Is a possible issuer's "enhancement" on the xacml 2.0 feature list?

-Frank.

Anne Anderson wrote:

> Frank,
> 
> This is an inheritance from SAML, which defines Issuer as a
> "string".  Clearly it is a rather primitive concept at this
> point, and could use much more elaboration based on actual
> implementation environments.  Yours is a good case.
> 
> Thanks,
> Anne
> 
> On 9 July, Frank Siebenlist writes: [xacml] Attribute's Issuer as string?
>  > From: Frank Siebenlist <franks@mcs.anl.gov>
>  > To: XACML TC <xacml@lists.oasis-open.org>
>  > Subject: [xacml] Attribute's Issuer as string?
>  > Date: Wed, 09 Jul 2003 12:15:11 -0700
>  > 
>  > The Attribute's Issuer is defined as a string, and I was wondering what the 
>  > design rational was behind that choice.
>  > 
>  > I was trying to see how you could take care of part of the path validation of an 
>  > assertion in xacml.
>  > 
>  > For example, you would only accept a certain attribute value if it was issued by 
>  >    a subject that was a member of a certain group, or only by an issuer with a 
>  > certain name only if that name was asserted by a certain identity issuer.
>  > 
>  > I guess I was looking for an issuer type that would again be a subject with its 
>  > own attributes.
>  > 
>  > One alternative would be to chain different subjects in the Request together 
>  > through a naming conventions that ties issuer's value to a subject's attribute 
>  > value ... but that doesn't seem very elegant.
>  > 
>  > Insight? Suggestions?
>  > 
>  > Thanks, Frank.
>  > 
>  > 
>  > -- 
>  > Frank Siebenlist              franks@mcs.anl.gov
>  > The Globus Project - Argonne National Laboratory
>  > 
>  > 
>  > You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php
> 

-- 
Frank Siebenlist              franks@mcs.anl.gov
The Globus Project - Argonne National Laboratory



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]