[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Attribute validity times
Hi Seth, I agree with you completely. Thanks for jumping in. :-) Regards, Erik Seth Proctor wrote: > Hi David. > > >> [...] >> Yes, you can implement the hack you mention below, where you add a new >> validity time attribute for every RC subject attribute, but a better >> solution would to be to change the XML to allow optional validity times to >> accompany each attribute, with default values of start now and never end. >> This achieves backwards compatibility, but allows validity times to be >> incorporated naturally with attribute values. >> > > I agree with (what I think) Erik was suggesting, that the PEP/PIP is really > responsible for validity. From a policy evaluation point of view, the > PDP assumes that any input provided to evaluating a given policy is still > valid. A central piece of the XACML model is that the PDP is insulated > from the rest of the world: it assumes the attributes it's provided are > valid, and uses these to evaluate a policy. > > Put another way, XACML defines the policy processing model, not the way > that interaction happens with the rest of the world. Yes, there is the > context schema which defines a standard, simple XACML Request that carries > only the core values that can drive evaluation. There's also SAML, which > should allow you to define validity periods or other constraints on any > attributes you need to provide. > > We could change the Request format to include validity periods, but what > effect would this have? It sounds to me like it would require the PDP > to consider validity of attribute values with each use, or at the point > in time that evaluation started, or some other metric. It would also > mean that we'd have to have some unified notion of time in a distributed > system, which is hard (well, provably impossible, but in practice there > are reasonable schemes for well-connected nodes). > > I think what you really want is what SAML provides. The ability to put > constraints on attributes up to the point where some entity queries a > PDP for evaluation. I strongly believe that the PDP itself should not > have any role in determining the validity of attributes presented to it, > and that's really what we'd be talking aobut if the context schema > itself changed. > > Erik - sorry for jumping in here :) Feel free to disagree.. > > > seth > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]