OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] request's attribute assertion lifetime?


WSPL also provides a way to tackle the problem of intervals.  Let
X be the attribute about which interval-type questions are
asked.  It might be a milepost on a road, a time of day, etc.
Assume the Resource Accessor's policy says "X >= 5 AND X <= 8".

1) If the Resource Protector's policy says "X >= 2 AND X <= 9",
   then the merged policy says "X=> 5 AND X <= 8", indicating
   that the Resource Accessor's entire range is acceptable.
2) If the Resource Protector's policy says "X >= 6 AND X <= 9",
   then the merged policy says "X >= 6 AND X <= 8", indicating
   that only part of the Resource Accessor's desired range is
   acceptable.
3) If the Resource Protector's policy says "X >= 1 AND X <= 4",
   then the merged policy is empty, indicating the Resource
   Accessor's desired range is completely unacceptable.

The Resource Accessor in the WSPL case doesn't get a simple
"Permit" or "Deny" answer, but perhaps this more complex result
is appropriate for the more complex concept of intervals.

Anne

On 15 March, Polar Humenn writes: Re: [xacml] request's attribute assertion lifetime?
 > From: Polar Humenn <polar@syr.edu>
 > To: Frank Siebenlist <franks@mcs.anl.gov>
 > Cc: Daniel Engovatov <dengovatov@bea.com>, XACML TC <xacml@lists.oasis-open.org>
 > Subject: Re: [xacml] request's attribute assertion lifetime?
 > Date: Mon, 15 Mar 2004 10:28:44 -0500 (EST)
 > 
 > 
 > Greetings,
 > 
 > Spring Break is over, I am back :)
 > 
 > On Wed, 10 Mar 2004, Frank Siebenlist wrote:
 > 
 > > [snip]
 > 
 > > Time is different than any other attribute as it moves in predictable ways. This
 > > is not a philosophical observation but is truly used.
 > 
 > True, which is exactly why we shouldn't go diving into throwing XML
 > attributes around to solve a complicated problem without major study.
 > 
 > XACML presently defines access control on attributes assumed to be valid,
 > whether that validity is based on time, issuer, signatures, which is all
 > up to the Request Handler. Admittedly, we do not have a specification for
 > the Request Handler (of which I think Daniel would like).
 > 
 > I can forsee, however, some form of XACML to handle the problem of
 > intervals, but if needed, as an extension, and only after significant
 > research in the area. Please keep in mind that intervals not only apply to
 > time. For instance, "Is Alice allowed on section of road R between points
 > A and B?"
 > 
 > We may tackle this problem by forming a specific committee to study the
 > issue for Intervals Based XACML or some such thingy. There is a lot of
 > research in temporal logics and such that may be helpful. However, I would
 > like to see a significant interest in the subject and commitment to study
 > before we attempt to solve one small use case, which can be solved by
 > formulating attributes in the way that Daniel described.
 > 
 > Cheers,
 > -Polar
 > 
 > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.
 > 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]