[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Minutes of the 25 May, 2006 TC meeting
Bill Parducci wrote: > Minutes of May 25, 2006 > > ... > > 2. Attribute Passing - Frank's proposal for the Request Context > containing Attributes about Delegates. > > The TC agreed to the following: > > When using the core technology without using a profile (such as the > SAML profile) there is a superset of information provided that will > be used as input to the process cycle. The format of that > information is undefined by XACML. During each evaluation cycle the > Request Context is constructed from the superset and used by > Policies and PolicySets. > > When using the SAML Profile we will specify the way the superset > information is carried across the wire. Any implementation that > doesn't use the SAML Profile is free to provide that information in > any way it chooses so long as the subsequent Request Context is > properly constructed for each cycle. That's all too bad. As I mentioned before, by relying on an "undefined" method to pass this "superset" of information, you break a functional interface where you pass all the information you need for evaluation in the request context - you essentially pass information through undefined global variables instead of passing it through function parameters. Note that this is a departure from the xacml-1&2 request context definitions and processing. As a consequence, you can not verify or understand the results that come back from an evaluation of a request context by only looking at the request context and the policies. Not having a functional interface will complicate the proofing of correctness and any formal reasoning of what a set of xacml-3 policies and sets of actor's attribute-sets evaluate to. In general, you should have very good reasons not to use a functional interface... unfortunately, I have not seen any in this case. Sadly yours, Frank. -- Frank Siebenlist franks@mcs.anl.gov The Globus Alliance - Argonne National Laboratory
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]