OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] request's attribute assertion lifetime?



Daniel Engovatov wrote:
>...
>>Except that I can not incorporate the validity time check for the
>>assertions that are used in the evaluation as their validity is only 
>>compared to the current time before the PDP gets its hand on it.
> 
> 
> PDP evaluation would be valid against whatever dataset you provided.
> You can validate this dataset prior, or after evaluation, or during
> enforcement, or after enforcement, or when federal agents come
knocking
> on your door, or on Mondays, or never.   It is a forever fixed
> collection of values; one of them is "current-time".

> Could you please show me how I could get the validity time interval of
an 
> attribute assertion, like SAML, into the request context, tied to the 
> associated  request's attribute?
> (just simple time interval, no conditions, this is about the
certificate 
> lifetime...)


But my point was that I do not think it belongs there.  Maybe we are not
talking about the same thing... Hm...

Whoever constructs the context does the validity-check, though one can
certainly place whatever information is relevant for the policy into the
context, if one wants to write explicit rules against this information.
If this responsibility is distributed (such as in a case when a local
routine computes the "current-time") this can be resolved by aggregating
the used data for validation.  For example, whatever protocol is used
for PEP-to-PDP calls, it may return whatever local variables were
computed during evaluation alongside the decision.  Time may be only one
of them.

If I am to design such a system, I would either rely on a fact that the
evaluation duration is inconsequential for the validity check (assuming
it happens instantaneously, assuming you do not care about less then a
millisecond, and the PEP and PDP use the same time source), or compute
"current-time" in the same place were the validity check is performed
and pass it along - I guess this is a perfectly compatible strategy.

Daniel.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]