[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] another small time/date issue
..but PDP is not intended to be a source (for "adding/enhancing") of information, is it? In most cases, one would expect the same piece of code to somehow provide both PDP and PIP services, but for the purpose of the standard these are two very distinct activities, I would imagine. Same reason as for why the bags are not ordered. Attempt to prescribe how it is to be done may be too much for us to tackle, and I am not sure that we should try. XACML is deterministic given that PIP and request provides the exact same data, but does not require that, beyond the statement that condition functions shall not have side effects and shall return the same response for the same arguments every time. D. -----Original Message----- From: bill parducci [mailto:bill.parducci@overxeer.com] Sent: Thursday, August 14, 2003 11:41 AM To: xacml@lists.oasis-open.org Subject: Re: [xacml] another small time/date issue unless i read this incorrectly it seems that these are not mutually exclusive positions: a request goes to a single PDP whereby information may be added/enhanced for downstream decision requests. in this scenario, attributes may be change in the life span of an aggregate of decisions, but they remain 'explicit' (static) for each decision context. true, this may lend itself to unanticipated decisions in the macro sense, but each localized decison--that which i believe XACML is intended to cover--will resolve deterministically. b Daniel Engovatov wrote: > It may. But do we really want to specify exactly how it is done without > unduly restricting architecture of implementations? > I thought it would be beneficial for an authorization language standard > to stay out of data flow management and operational behavior as much as > possible. We specify how to deal with attributes that are explicitly > provided in a request, but anything concerning PIP sources of > information was intentionally left undefined, as far as I remember. > > Daniel. > > -----Original Message----- > From: Anne Anderson - Sun Microsystems [mailto:Anne.Anderson@sun.com] > Sent: Tuesday, August 12, 2003 5:36 PM > To: Daniel Engovatov; Seth Proctor > Cc: xacml@lists.oasis-open.org; Polar Humenn > Subject: RE: [xacml] another small time/date issue > > Won't the initial Request go to a single PDP? And that PDP might > invoke others to evaluate sub-policies? > > If that is the case, then the initial PDP could add its concept of > "current-time/date/dateTime" to the Request context that it sends > to any other PDP for subordinate evaluation. > > -Anne > > > > You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgro up.php > You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgro up.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]