OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] request's attribute assertion lifetime?

On 4 March, Polar Humenn writes: Re: [xacml] request's attribute assertion lifetime?
 > On Thu, 4 Mar 2004, Frank Siebenlist wrote:
 > 
 > > I just came accross the fact that the request's attribute element has an
 > > optional InstantIssue element to indicate the date and time at which the
 > > attribute was issued, but you can't seem to specify a duration validity interval.
 > >
 > > Any reason for that?
 > 
 > All values attributed to resources, subjects, and actions pertinent to
 > the Access Decision Request should be validated for the request. (Another
 > reason why the PDP shouldn't supply the "current-time", a serious fault,
 > IMHO). The XACML Policy does not do validation. The PDP performs access
 > decisions based on valid information.

Agreed.  The validity interval occurs in the structure containing
the XACML Request Context.  For example, a SAML Attribute
Assertion.  The SAML Assertion contains the Issuer name, the
validity period, the signature, etc.

By the time the Attribute gets to the PDP, it is assumed to be a
valid Attribute.  All checking must be done by the context
handler and its minions.

 > The reason for this approach, is that we did not want XACML to become a
 > validation engine.  The business of checking signatures, validity times,
 > handling cryptographic computational complexity, is all out of scope, and
 > that is easily divided and pawned off on some other entity, so XACML will
 > have to complicate is job with those matters.
 > 
 > As far as Time goes, I never liked IssueInstant being in the
 > ReqeustContext. Furthermore, you can't search on it using a
 > AttributeDesignator, so it's existence is really moot, except, I guess,
 > for the XPath folks.

I would like to suggest we remove it.  We should either go whole
hog and include everything XPath might be able to use, or clearly
define what the XACML PDP handles and what the Context Handler
handles.  If we want to include things just for XPath access,
wouldn't validity period be more important than IssueInstant?  Do
we want to open that can?

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]