Re: [xacml] another small time/date issue

[Seth Proctor <Seth.Proctor@Sun.COM>]

> I'm was under the current understanding that there was no such thing as
> the "current" time and date, at least in the temporal sense with respect
> to the time of evaluation. The time is or at least should be, an attribute
> of the request.

In section 10.2.5, it makes it pretty clear that the current-time,
current-date, and current-dateTime must always be available in an
evaluation. They may be supplied in the Request, but if they're not
provided there, then the PDP must supply the values. Unfortunately,
there is nothing to explain what "current" here means (see below).
Basically, the spec calls these out as special attributes, and makes it
clear the the PDP must have a way to deal with them.

> I have argued before, that the current time is NOT the time of evaluation,
> but it is really a question, "at this <specified> time?"  For instance,
> one would want to know if George had access to resource X at 13:00 Aug 12,
> 2000, as well one might want to know if Alice will have access to resource
> Y at 22:13 June 25, 2004. If the time is "now", the request builder should 
> insert the appropriate time.

This is a separate issue from the one I raised, but I agree that the
notion of current is somewhat confusing. The easiest answer is to treat
current as "at the PDP" if no values are provided, but again there's
nothing in the spec (that I know of) that says this is the right/only
way to do it.


seth