[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Fwd: [xacml] Multiple subjects in XACML
---------- Forwarded message ---------- From: Argyn <jawabean@gmail.com> Date: Feb 19, 2007 10:44 AM Subject: Re: [xacml] Multiple subjects in XACML To: Erik Rissanen <mirty@sics.se> On 2/19/07, Erik Rissanen <mirty@sics.se> wrote: > Hal raised the concern that this is a bug in 2.0, since there could for > instance be multiple intermediate subjects, and this was a use case > which 2.0 should handle. > > I wasn't a member of the TC when 2.0 was designed, so I don't know if it > is a bug or a feature, but if it is a bug, it's a major one. If the > multiple subjects are really considered to be distinct subjects, there > are still no mechanisms by which policies can refer to them in a > meaningful manner. If an attribute designator is used to fetch > attributes from the request, it would mix up the attributes from > different distinct subjects. This is the same problem which we had with > multiple distinct IndirectDelegates, which is the reason I introduced > the MultipleCondition, which could be used to constrain distinct > indirect delegates. we discussed it with Seth once. it looked strange to me when I first read it. as far as I know XACML implementations support this feature as it is written. argyn
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]