Re: [xacml] Attribute validity times

[Erik Rissanen <erik@axiomatics.com>]

Hi Seth,

I agree with you completely. Thanks for jumping in. :-)

Regards,
Erik

Seth Proctor wrote:
> Hi David.
>
>   
>> [...]
>> Yes, you can implement the hack you mention below, where you add a new 
>> validity time attribute for every RC subject attribute, but a better 
>> solution would to be to change the XML to allow optional validity times to 
>> accompany each attribute, with default values of start now and never end. 
>> This achieves backwards compatibility, but allows validity times to be 
>> incorporated naturally with attribute values.
>>     
>
> I agree with (what I think) Erik was suggesting, that the PEP/PIP is really
> responsible for validity. From a policy evaluation point of view, the
> PDP assumes that any input provided to evaluating a given policy is still
> valid. A central piece of the XACML model is that the PDP is insulated
> from the rest of the world: it assumes the attributes it's provided are
> valid, and uses these to evaluate a policy.
>
> Put another way, XACML defines the policy processing model, not the way
> that interaction happens with the rest of the world. Yes, there is the
> context schema which defines a standard, simple XACML Request that carries
> only the core values that can drive evaluation. There's also SAML, which
> should allow you to define validity periods or other constraints on any
> attributes you need to provide. 
>
> We could change the Request format to include validity periods, but what
> effect would this have? It sounds to me like it would require the PDP
> to consider validity of attribute values with each use, or at the point
> in time that evaluation started, or some other metric. It would also
> mean that we'd have to have some unified notion of time in a distributed
> system, which is hard (well, provably impossible, but in practice there
> are reasonable schemes for well-connected nodes).
>
> I think what you really want is what SAML provides. The ability to put
> constraints on attributes up to the point where some entity queries a
> PDP for evaluation. I strongly believe that the PDP itself should not
> have any role in determining the validity of attributes presented to it,
> and that's really what we'd be talking aobut if the context schema
> itself changed.
>
> Erik - sorry for jumping in here :) Feel free to disagree..
>
>
> seth
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>
>