Re: [xacml] Attribute predicate profile for SAML and XACML

[Gregory Neven <nev@zurich.ibm.com>]

Dear Doron,

I agree, I imagine that anything being done by the PEP in the current 
document can just as well be done by the Context Handler. The Context 
Handler does see responses with missing attributes passing by, right? 
The same issue has previously been raised by Hal, in fact.

Best,
Greg

On 3/23/2011 14:31, Doron Grinstein wrote:
> Gregory,
>
> You have invested considerable time on the draft document and produced good work. After reading the proposal, I would rather keep PEP logic to a minimum and move most of the functionality described to the context handler on the PDP side.
>
> > From experience, the more "heavy lifting" is done by the service, the lighter the PEP is.
>
> It is in XACML's best interest to have light PEP's because adoption will be greater and faster. If the cost of entry for a PEP is too high, not as many PEPs will be developed.
>
> Changing the proposal to have the PDP/context handler do the attribute predicate request won't change the overall idea, but architecturally will make adoption more likely and less costly.
>
> I hope this makes sense.
>
> Doron Grinstein
> CEO
> BiTKOO
>
>
>
> On Mar 23, 2011, at 2:26 AM, "Gregory Neven"<nev@zurich.ibm.com>  wrote:
>
>> Dear all,
>>
>> Please find attached a first draft of the attribute predicate profile
>> that we've been discussing during the telephone conferences. Looking
>> forward to your feedback!
>>
>> Best regards,
>> Gregory and Franz-Stefan
>> <2011-02 SAM+XACML Attribute Predicate Profiles.zip>
>> <SAML+XACML Attribute Predicate Profile.pdf>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>
>