[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Fwd: Fwd: [xacml] Multiple subjects in XACML
Argyn wrote: > sorry, this is so annoying that reply-to field from our mailing list > doesn't have its address. i always hit "Reply" then realize that it's > not going to the mailing list. > > ---------- Forwarded message ---------- > From: Argyn <jawabean@gmail.com> > Date: Feb 19, 2007 11:27 AM > Subject: Re: Fwd: [xacml] Multiple subjects in XACML > To: Erik Rissanen <mirty@sics.se> > > > On 2/19/07, Erik Rissanen <mirty@sics.se> wrote: >> Argyn wrote: >> > ---------- Forwarded message ---------- >> > From: Argyn <jawabean@gmail.com> >> > Date: Feb 19, 2007 10:44 AM >> > Subject: Re: [xacml] Multiple subjects in XACML >> > To: Erik Rissanen <mirty@sics.se> >> > >> > >> > On 2/19/07, Erik Rissanen <mirty@sics.se> wrote: >> >> Hal raised the concern that this is a bug in 2.0, since there >> could for >> >> instance be multiple intermediate subjects, and this was a use case >> >> which 2.0 should handle. >> >> >> >> I wasn't a member of the TC when 2.0 was designed, so I don't know >> if it >> >> is a bug or a feature, but if it is a bug, it's a major one. If the >> >> multiple subjects are really considered to be distinct subjects, >> there >> >> are still no mechanisms by which policies can refer to them in a >> >> meaningful manner. If an attribute designator is used to fetch >> >> attributes from the request, it would mix up the attributes from >> >> different distinct subjects. This is the same problem which we had >> with >> >> multiple distinct IndirectDelegates, which is the reason I introduced >> >> the MultipleCondition, which could be used to constrain distinct >> >> indirect delegates. >> > >> > we discussed it with Seth once. it looked strange to me when I first >> > read it. as far as I know XACML implementations support this feature >> > as it is written. >> > >> > argyn >> >> When you mean "support this feature as it is written", do you mean that >> multiple subjects with the same subject category are not treated as >> distinct subjects by implementations? >> >> Sorry, but I am just a bit confused by the "support" and "written", >> since my interpretation of the writing is that distinct subjects with >> equal categories are not supported. ;-) > > > my fault, I wasnt clear enough. > > If they have the same category, they are treated as the same thing. so > i simply unite the set of attributes of different subjects, if they > have the same category. i really don't understand why is it like that > in the spec, honestly, but that's what i implented. as far as i know, > others do the same. i may even have a conformance test for this > feature, not sure though > > argyn Ok, so it seems to be like I thought. If this is also how it was intended in 2.0, then it would not clash with a generalization of the multiple resources profile. Regards, Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]