[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] request's attribute assertion lifetime?
>You can get the behavior you want by including the interval data as one
>of the dimensions of this POINT in the context, as, for example, Polar
>proposed.
P.S.
To elaborate: If the PDP is interested on whether it can use the
access decision from time A to time B, it can include A and B as
information in the request. Then you will get an explicit result:
{GRANT given A, B}. Then you have a defined context, that includes
information on access time interval, and any other such information.
Nothing is "implicit".
I assert that in a general case one can not assume that any of the
context data can be determined to be valid over some defined period of
time and that this can be used to compute A and B from within the PDP.
So we must use a countable subset in the context space. That's where I
would draw a "line" that Polar referred to: authorization should be
done against a countable subset of context data.
Daniel.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]