Re: [security-services] Proposed Enhancement for Dynamic Attribute Queries

[David Chadwick <d.w.chadwick@kent.ac.uk>]

Hi Leif

> > > If you have a model of an all attribute providing IDP, and an SP
> > > that offers multiple services with different authz requirements,
> > > then you need a feature such as this
>
> No. You need a feature like this if you need to support _dynamic_ authz
> requirements. Supporting authz at all is sufficiently difficult for SPs.

the meta data approach is problematical for at least two reasons

i) you get a combinatorial explosion of alternatives if each has to be 
separately statically specified in the metadata

ii) at least one well known implementation (SimpleSAMLPHP) only supports 
the first metadata entry regardless of how many are actually present in 
the metadata.

regards

david


> 	Cheers
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk9yvAwACgkQ8Jx8FtbMZnfyOgCgw40n92l9xH7brViPSODIDaBB
> g3QAoIG/GtcrGSW7Hw9TcciEzA4aWfOH
> =J+2t
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: security-services-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: security-services-help@lists.oasis-open.org

--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************