[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Concrete Proposal of ConditionReference (#7)
>Generating these unfortunate attributes should be constrained to the >RequestHandler. Not the PDP. Ugghghhhhhhh! Why not context handler? >That is EXTREMELY unfortunate, and any product that does that I wouldn't >put any faith in, let alone buy. This is why standards must adhere to >formalizisms that guarrantee the integrity of the products that are >deployed. I am sorry you feel the way you do. While this may be unfortunate, it may be inevitable. Ever tried to insist to a customer that you must have full control on when, how and why THEIR data is supposed to be changing? When you try to make a local copy and synchronize all the PDP looking at the same policy to it - you can actually make things worse, as you will be working on stale data. For a distributed system hooked up to a distributed data source that is controlled BY SOMEONE ELSE, it is not practical to provide such a guarantee - and in many cases it is not needed. I believe we shall not make any assumptions about when and how context data is provided. Mathematically inelegant? Yes. Should we provide an *option* to straiten this out - absolutely. But not require that. Daniel;
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]