[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] request's attribute assertion lifetime?
Daniel Engovatov wrote: >>For example >>GRANT(swim) if 3pm < time < 5pm AND tide < 1ft. >>What is the "isValid" interval for this policy? > > > Answering to myself, I guess here it would be 0, as time and tide will > not have a validity interval (they are computed for "now") > > So, if any parameter may be time dependent, its validity interval is a > single point at [current-time]. So all this mechanism for computing > validity intervals would only be useful to check if "current-time" is in > the validity interval for each attribute. That is already done by the > context handler. > > Still can not see a single argument why it should be part of the policy > evaluation. It is an entirely different problem then the authorization > operation. I tried to argue before: "...decisions for a single time T are not very useful in practice and we rely on unspoken, implicit time-intervals for which we assume the validity of that decision." and "The PEP actually makes use of that property to note implicitly or explicitly that the current time is still within an acceptable range compared to the time for which the decision was evaluated." In other words, we are already using time intervals for authorization decisions and enforcement ... maybe it's time to acknowledge that and formalize it instead of keeping it fuzzy and under the carpet. -Frank. -- Frank Siebenlist franks@mcs.anl.gov The Globus Alliance - Argonne National Laboratory
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]