OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] request's attribute assertion lifetime?

Daniel Engovatov wrote:

>>The reason for this approach, is that we did not want XACML to become a
>>validation engine.  The business of checking signatures, validity
> 
> times,
> 
>>handling cryptographic computational complexity, is all out of scope,
> 
> and
> 
>>that is easily divided and pawned off on some other entity, so XACML
> 
> will
> 
>>have to complicate is job with those matters.
> 
> 
> 
> Yep.  It is the job of the PIP (context handler) to validate whether any
> information requested and used by the PDP is valid, including any
> timeouts etc.  We do not (and can not) standardize that reliably.

Why the "can not"? What are the fundamental reasons?
(just trying to understand the issues)

-Frank.

-- 
Frank Siebenlist               franks@mcs.anl.gov
The Globus Alliance - Argonne National Laboratory

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]