[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Validity periods in SAML Assertions
Is not it the context handler job to decide what is valid and what is INDETERMINATE ? PDP does not know what assertion is - it knows about named attributes and, optionally, about request context XML representation. Other problem is what is "used during evaluation"? One assertion may be used in a rule evaluation, but the result of this rule will have no effect on the evaluation result. It is also quite possible to make decision based on volatile data. I suggest that we should say that context handler will review attribute assertion validity when the data is requested by PDP, and return INTEDERMINATE for invalid assertion. Validity of the Response assertion should be left for the implementation to decide: as there may be other data or factors, other then attribute assertions validity, that determine that. PROPOSAL: the PDP SHALL use only Assertions that are valid at the PDP's evaluation time, regardless of the Request's "current-dateTime" value. The PDP SHALL use the intersection of the validity periods of all SAML Assertions used during the evaluation as the validity period in its Response Assertion. The PDP SHALL NOT use the "current-dateTime" in the Request Context to determine which SAML Assertions to use.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]