[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml-comment] Identifying attribute issuers
Are there any plans to extend the XACML to
support defining the attribute issuer id. In the current specification it
is assumed that this is outside the scope of XACML and is handled by the
PIP. In the current specification there appears to be no ideal
solution to the following scenario:
OrgA trusts OrgB to issue attributes
for OrgB's employees
OrgA requires all other users to register
and for these users OrgA issues the attributes.
If XACML supported issuer Id this could be simply
modelled using two policyStatements, one for OrgB and one for everyone else, the
appropriate one being loaded by the PDP from the PRP.
As I understand the present schema the only way to
achieve this would be to add functionality to the PIP to call a OrgB's
attribute issuer when handling OrgB. This has two problems: 1) It is
inflexible in that it becomes difficult to handle complex collaborations with
multiple attribute issuers. 2) The policy has to be managed as two
separate documents, one specifying the attributes and the second specifying who
you trust to issue those attributes.
The addition of an optional AttributeIssuer would
appear to resolve this issue.
John Howard
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC