OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] XACML Obligations and SAML Conditions (?)


In my mind, the issuer of an assertion vouches for the validity of the 
statement, and that the conditions clause should only apply to the validity of 
the statement as a whole.

In the case of an xacml response, the obligations seems part of that response, 
and together constitute the statement. It is this complete statement that will 
be used by the pep after the validation of the assertion.

To pull the obligations out and carry them in the saml's conditions doesn't seem 
to fit that model well.

-Frank.


Polar Humenn wrote:

> On Wed, 10 Sep 2003, Frank Siebenlist wrote:
> 
> 
>>My feel is that the saml condition is on the assertion level, while the xacml 
>>obligation is on the decision response level.
>>
>>Does it make sense to have the decision response including the obligations live 
>>outside of the assertion?
>>If the answer is yes, then that may have answered the question...
> 
> 
> I'm not quite sure what you mean.
> 
> An obligation is part of the decision response. If we use the SAML
> Response to wrap this XACML response, By virtue of being a SAML Response,
> does that mean the XACML Response must be an Assertion? So, do you mean by
> turning the response into a SAML Assertion that we should strip the
> obligations out and put them some where else?
> 
> -Polar
> 
> 
>>-Frank.
>>
>>
> 
> 

-- 
Frank Siebenlist              franks@mcs.anl.gov
The Globus Project - Argonne National Laboratory



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]