[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] request's attribute assertion lifetime?
WSPL also provides a way to tackle the problem of intervals. Let X be the attribute about which interval-type questions are asked. It might be a milepost on a road, a time of day, etc. Assume the Resource Accessor's policy says "X >= 5 AND X <= 8". 1) If the Resource Protector's policy says "X >= 2 AND X <= 9", then the merged policy says "X=> 5 AND X <= 8", indicating that the Resource Accessor's entire range is acceptable. 2) If the Resource Protector's policy says "X >= 6 AND X <= 9", then the merged policy says "X >= 6 AND X <= 8", indicating that only part of the Resource Accessor's desired range is acceptable. 3) If the Resource Protector's policy says "X >= 1 AND X <= 4", then the merged policy is empty, indicating the Resource Accessor's desired range is completely unacceptable. The Resource Accessor in the WSPL case doesn't get a simple "Permit" or "Deny" answer, but perhaps this more complex result is appropriate for the more complex concept of intervals. Anne On 15 March, Polar Humenn writes: Re: [xacml] request's attribute assertion lifetime? > From: Polar Humenn <polar@syr.edu> > To: Frank Siebenlist <franks@mcs.anl.gov> > Cc: Daniel Engovatov <dengovatov@bea.com>, XACML TC <xacml@lists.oasis-open.org> > Subject: Re: [xacml] request's attribute assertion lifetime? > Date: Mon, 15 Mar 2004 10:28:44 -0500 (EST) > > > Greetings, > > Spring Break is over, I am back :) > > On Wed, 10 Mar 2004, Frank Siebenlist wrote: > > > [snip] > > > Time is different than any other attribute as it moves in predictable ways. This > > is not a philosophical observation but is truly used. > > True, which is exactly why we shouldn't go diving into throwing XML > attributes around to solve a complicated problem without major study. > > XACML presently defines access control on attributes assumed to be valid, > whether that validity is based on time, issuer, signatures, which is all > up to the Request Handler. Admittedly, we do not have a specification for > the Request Handler (of which I think Daniel would like). > > I can forsee, however, some form of XACML to handle the problem of > intervals, but if needed, as an extension, and only after significant > research in the area. Please keep in mind that intervals not only apply to > time. For instance, "Is Alice allowed on section of road R between points > A and B?" > > We may tackle this problem by forming a specific committee to study the > issue for Intervals Based XACML or some such thingy. There is a lot of > research in temporal logics and such that may be helpful. However, I would > like to see a significant interest in the subject and commitment to study > before we attempt to solve one small use case, which can be solved by > formulating attributes in the way that Daniel described. > > Cheers, > -Polar > > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php. > -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]