Re: [xacml] RE: Context Handler

[Erik Rissanen <erik@axiomatics.com>]

On 2011-12-19 16:11, remon.sinnema@emc.com wrote:
> Erik,
>
>
> > -----Original Message-----
> > From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On
> > Behalf Of Erik Rissanen
> > Sent: Monday, December 19, 2011 4:02 PM
> > To: Sinnema, Remon
> > Cc: xacml@lists.oasis-open.org
> > Subject: Re: [xacml] RE: Context Handler
> >
> > Hi Ray,
> >
> > Ok, I understand, but I would say that this is a flaw in the
> > implementation in this case.
> I don't think the spec is clear enough in this area. It doesn't define what exactly a PIP can and cannot do. If we make the description of the PIP clearer so that it explicitly can do more than retrieve values for attributes that are missing from the request, then I agree we don't need a REP.
>
> However, I do wonder based on what information the PDP will decide to ask the PIP for more attribute values. Or do you propose the PDP always reaches out to all PIPs?
>
>
> Thanks,
> Ray

Ray,

This is easy to control through the context handler setup/config. A 
context handler which is configured to always invoke a particular PIP is 
equivalent to deploying a "REP".

The XACML architecture is intended to be an abstract view of the big 
picture and applicable to many diverse environments, so it intentionally 
leaves out many details. Making it more detailed would clutter the 
architecture or make it less generally applicable. There are so many 
things it could cover, like caching, pre-fetching, communication 
protocols, when to invoke which PIP, etc. I prefer to keep it simple in 
the spec.

Best regards,
Erik