OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] saml authz request vs request context (Re: [xacml] Issuesfor the next delegation draft)

Hi Frank,

I don't see how this would break the request context as a functional
interface. The request context is just the interface to the context
handler, where all the attributes have always been "stored", regardless
of their source. But, I don't know the full history or motivations of
XACML, so I don't know for sure. In any case, the external transport
format would maintain full functional characteristics.

Personally, I find it inelegant to have two global contexts in the
description of the processing model, that is, both the "normal" part of
the request context and the extra section in the request context. The
practical reason for not doing this is that it complicates the
definition of the processing model since every place where we refer to a
subject/delegate/etc element in the request context, we also have to
refer to the "additional attributes" section as a source for attribute
matching. Abstracting away the various sources of the attributes and
describing the processing model solely based on the "normal" part of the
request context greatly simplifies the standard.

Anyway, I think we both understand each other's proposals and I doubt
the two of us are going to make any more progress. I suggest that the
issue be discussed at the next meeting for additional input from others.

Regards,
Erik


Frank Siebenlist wrote:

> Hi Erik,
>
> The method that you are describing where the attributes are maintained
> by the context handler is the same as keeping them in some global
> context.
>
> It does not allow you to model the request context as a functional
> interface, which is not very elegant... and diverts from previously
> stated goals (at least I believe it was a noble goal to be able to
> model the xacml evaluation through a functional paradigm (?))
>
> I still haven't heart about any reason not to add the attribute sets
> to the request context.
> Is there any practical reason not to do this?
>
> Thanks, Frank.
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]