OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: The Subject/Object Paradigm

Hal wrote:
> > A more recent view of the same problem takes the access 
> > control decision as
> > a starting point and asks "Under what conditions should this 
> > request be
> > allowed?" In this resource-centric view, many different 
> inputs may be
> > combined to make the decision, not just user identity.

Phill wrote:
> Is the subject/object issue the point of difference here or the
> nature of the question?
> The current draft is written to allow the question 'can 
> subject X access
> object Y?'. The question you appear to want to ask is 'what 
> is the set of
> subjects that can access object Y?' or 'what attributes must 
> subject X have
> to access object Y?' which amounts to the same thing.

This is not the difference. I want to ask "Can object (resource) Y be
accessed given all the information required by all the policies associated
with Y?"

The policies may or may not require information about X. They may or may not
require information about any intermediaries involved, locations of the
request, current date and time, content of the object instance, external
information (e.g. DJIA value) or other information.

> I think these are good questions to ask and believe that XACML should
> support them. However they appear to be out of SAML scope (for now).

I agree.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC