[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Attribute validity times
Hi David. > [...] > Yes, you can implement the hack you mention below, where you add a new > validity time attribute for every RC subject attribute, but a better > solution would to be to change the XML to allow optional validity times to > accompany each attribute, with default values of start now and never end. > This achieves backwards compatibility, but allows validity times to be > incorporated naturally with attribute values. I agree with (what I think) Erik was suggesting, that the PEP/PIP is really responsible for validity. From a policy evaluation point of view, the PDP assumes that any input provided to evaluating a given policy is still valid. A central piece of the XACML model is that the PDP is insulated from the rest of the world: it assumes the attributes it's provided are valid, and uses these to evaluate a policy. Put another way, XACML defines the policy processing model, not the way that interaction happens with the rest of the world. Yes, there is the context schema which defines a standard, simple XACML Request that carries only the core values that can drive evaluation. There's also SAML, which should allow you to define validity periods or other constraints on any attributes you need to provide. We could change the Request format to include validity periods, but what effect would this have? It sounds to me like it would require the PDP to consider validity of attribute values with each use, or at the point in time that evaluation started, or some other metric. It would also mean that we'd have to have some unified notion of time in a distributed system, which is hard (well, provably impossible, but in practice there are reasonable schemes for well-connected nodes). I think what you really want is what SAML provides. The ability to put constraints on attributes up to the point where some entity queries a PDP for evaluation. I strongly believe that the PDP itself should not have any role in determining the validity of attributes presented to it, and that's really what we'd be talking aobut if the context schema itself changed. Erik - sorry for jumping in here :) Feel free to disagree.. seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]