Fwd: Fwd: [xacml] Multiple subjects in XACML

[Argyn <jawabean@gmail.com>]

sorry, this is so annoying that reply-to field from our mailing list
doesn't have its address. i always hit "Reply" then realize that it's
not going to the mailing list.

---------- Forwarded message ----------
From: Argyn <jawabean@gmail.com>
Date: Feb 19, 2007 11:27 AM
Subject: Re: Fwd: [xacml] Multiple subjects in XACML
To: Erik Rissanen <mirty@sics.se>


On 2/19/07, Erik Rissanen <mirty@sics.se> wrote:
> Argyn wrote:
> > ---------- Forwarded message ----------
> > From: Argyn <jawabean@gmail.com>
> > Date: Feb 19, 2007 10:44 AM
> > Subject: Re: [xacml] Multiple subjects in XACML
> > To: Erik Rissanen <mirty@sics.se>
> >
> >
> > On 2/19/07, Erik Rissanen <mirty@sics.se> wrote:
> >> Hal raised the concern that this is a bug in 2.0, since there could for
> >> instance be multiple intermediate subjects, and this was a use case
> >> which 2.0 should handle.
> >>
> >> I wasn't a member of the TC when 2.0 was designed, so I don't know if it
> >> is a bug or a feature, but if it is a bug, it's a major one. If the
> >> multiple subjects are really considered to be distinct subjects, there
> >> are still no mechanisms by which policies can refer to them in a
> >> meaningful manner. If an attribute designator is used to fetch
> >> attributes from the request, it would mix up the attributes from
> >> different distinct subjects. This is the same problem which we had with
> >> multiple distinct IndirectDelegates, which is the reason I introduced
> >> the MultipleCondition, which could be used to constrain distinct
> >> indirect delegates.
> >
> > we discussed it with Seth once. it looked strange to me when I first
> > read it. as far as I know XACML implementations support this feature
> > as it is written.
> >
> > argyn
>
> When you mean "support this feature as it is written", do you mean that
> multiple subjects with the same subject category are not treated as
> distinct subjects by implementations?
>
> Sorry, but I am just a bit confused by the "support" and "written",
> since my interpretation of the writing is that distinct subjects with
> equal categories are not supported. ;-)


my fault, I wasnt clear enough.

If they have the same category, they are treated as the same thing. so
i simply unite the set of attributes of different subjects, if they
have the same category. i really don't understand why is it like that
in the spec, honestly, but that's what i implented. as far as i know,
others do the same. i may even have a conformance test for this
feature, not sure though

argyn