xacml message

Subject: RE: [xacml] Proposal to address issue 11, and thoughts on whether it is advisable or not to separate out sections of hier, mult to a new profile

From: "Tyson, Paul H" <PTyson@bellhelicopter.textron.com>
To: "Erik Rissanen" <erik@axiomatics.com>,"Rich.Levinson" <rich.levinson@oracle.com>
Date: Wed, 14 Oct 2009 14:09:26 -0500

 

> -----Original Message-----
> From: Erik Rissanen [mailto:erik@axiomatics.com] 
> Sent: Wednesday, October 14, 2009 12:36
> To: Rich.Levinson
> Cc: xacml
> Subject: Re: [xacml] Proposal to address issue 11, and 
> thoughts on whether it is advisable or not to separate out 
> sections of hier, mult to a new profile
> 
> 
> Personally I find it difficult to work with expressions like 
> this since it is about performing "matching on a matching 
> language" in order to get the actual resource.

+1
 
> I understand that it may be desirable in some cases to hide 
> the XML content, but that could perhaps be handled better by 
> a construct like this:
> 
> <Request>
>   <Attributes Category="resource">
>     ...
>     <ContentReference .....something here..../>
>   </Attributes>
> </Request>

ContentReference, with an href attribute or content type anyURI, is an
excellent proposal on its own, and should be pursued outside of this
issue.

Another option for hiding content is to encrypt and sign the content (or
entire request) in the transport layer.

--Paul

References:
- Proposal to address issue 11, and thoughts on whether it is advisableor not to separate out sections of hier, mult to a new profile
  - From: "Rich.Levinson" <rich.levinson@oracle.com>
- Re: [xacml] Proposal to address issue 11, and thoughts on whetherit is advisable or not to separate out sections of hier, mult to a new profile
  - From: Erik Rissanen <erik@axiomatics.com>