[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issue 73, where does reduction start?
All, Issue 73 is about at which level in a nested policy set does delegation reduction start? As it is specified currently, reduction is done as a graph search where the nodes of the graph are the policies in a policy set. In other words, we could say that "reduction starts at the siblings of the policy being reduced" to use the wording of issue 73. Alternatively it has been suggested that reduction should start at the top level in the PDP, leading to recursive invocations of the PDP. The reduction algorithm was designed as it is currently for two reasons: 1) The current mode gives an algorithm which is guaranteed to terminate (unless the 'access-permitted' function is invoked in the policies) and is much easier to analyze and comprehend than the "top level PDP" alternative. 2) There are security issues related to policy sets with nested issuers in case of a "top level PDP" approach. In effect the issuer of a policy set with nested <PolicyIssuer> elements has authenticated the attributes in all contained <PolicyIssuer> elements. Invoking delegation at the top level means that the reduction process of a policy may enter other policy sets thus introducing a trust relation to the issuer of the other policy and his authentication of policy issuers. I propose that issue 73 is closed with no action since I think the current reduction algorithm is the correct solution. Best regards, Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]