OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] request's attribute assertion lifetime?

Ok - I'm running out of steam here with Daniel, you and me repeating our 
arguments - I'll give up...

Regards, Frank.


Polar Humenn wrote:

>>I tried to argue before:
>>
>>"...decisions for a single time T are not very useful in practice and we rely on
>>unspoken, implicit time-intervals for which we assume the validity of that
>>decision."
> 
> 
> I'll take issue with the above comment, especially "not very useful in
> practice".  I might as well go home. Are any other people finding XACML
> not very useful in this regard?
> 
> 
>>and
>>
>>"The PEP actually makes use of that property to note implicitly or explicitly
>>that the current time is still within an acceptable range compared to the time
>>for which the decision was evaluated."
>>
>>In other words, we are already using time intervals for authorization decisions
>>and enforcement ... maybe it's time to acknowledge that and formalize it instead
>>of keeping it fuzzy and under the carpet.
> 
> 
> The only thing that is fuzzy is the specification of the Request Handler,
> and the PEP-PDP interface. It's fuzzy, because it isn't defined in XACML.
> Perhaps, it may be defined some where else.
> 
> The Request Handler can make sure that all attributes are valid for the
> period of time necessary to caculate, or retrieve the access decision,
> deliver it to the PEP and have the PEP enforce the decision within that
> time. That time interval can even be a parameter to the Request Handler.
> "You must produce a value by time T and it must last until T+n" This means
> that all information given to the Reqeust Handler must be valid until T+n.
> Pretty easy stuff.
> 
> Furthermore, if you are looking for validity periods for cached access
> decisions, the Request/Reply Handler can do that as well as it can
> calculate the validity periods for all attributes and intersect them
> together, and place that in something that wraps the decision, such as an
> Assertion.
> 
> Are you looking for the PDP to calculate validity periods throughout the
> evaluation based on what attributes it may or may look at? That means if a
> policy doesn't look at an attribute, it's validity time doesn't enter into
> the validity interval of the decision?
> 
> Cheers,
> -Polar
> 
> 
>>-Frank.
>>
>>--
>>Frank Siebenlist               franks@mcs.anl.gov
>>The Globus Alliance - Argonne National Laboratory
>>
> 
> 

-- 
Frank Siebenlist               franks@mcs.anl.gov
The Globus Alliance - Argonne National Laboratory

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]