[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] canonicalization for XACML instances being signed
Anne Anderson wrote:
> For example, will an XACML
> Response be removed from its SAML DecisionStatement or SAML
> Assertion and put into some other envelope for retransmission?
at first glance it would seem that canonicalization is necessary under
this scenario:
(from: Abstract Requirements for SAML AuthorizationDecisionQuery/Response)
5. Way to return an XACML Policy/PolicySet in a Decision as a
condition that must evaluate to "Permit" in order for the
Decision to be valid. Way to indicate that such a condition
is associated with the Decision. Might be appropriate to put
this condition and indication into the XACML Response Context
itself.
just kinda winging it here, but my thinking is that this may involve the
chunking of policy(ies)(sets) from a source that may have a
fundamentally different context than that of the PEP being responded to.
b
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]