OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] request's attribute assertion lifetime?


>> After the decision is made - it is PEP job on how and when to use it.

>Time is different than any other attribute as it moves in predictable
ways. >This is not a philosophical observation but is truly used.

Does it?  I doubt I will find two machines in my office that do have
time set to the same value. 

There are many other attributes that move in predictable ways: for
example
"tide-height", or "spending-account-balance" - and you can not reduce it
to time.  I still think time has no unique qualities as a data type.

The only way to ensure predictable interoperability is to provide all
data used in evaluation in request.   If you are interested in time
intervals, you may extend a new data type - "timeInterval".   It will
absolutely cover all you needs.

The only important thing - evaluation may be performed only against a
point in context space, or on a countable set of such points (as for
hierarchical resources for example).   I just do not see how you can
construct a query against an uncountable set.

> Except that I can not incorporate the validity time check for the
> assertions that are used in the evaluation as their validity is only 
> compared to the current time before the PDP gets its hand on it.

PDP evaluation would be valid against whatever dataset you provided.
You can validate this dataset prior, or after evaluation, or during
enforcement, or after enforcement, or when federal agents come knocking
on your door, or on Mondays, or never.   It is a forever fixed
collection of values; one of them is "current-time".

Daniel.





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]