OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml-comment] Identifying attribute issuers

Are there any plans to extend the XACML to support defining the attribute issuer id.  In the current specification it is assumed that this is outside the scope of XACML and is handled by the PIP.  In the current specification there appears to be no ideal solution to the following scenario:
OrgA trusts OrgB to issue attributes for OrgB's employees
OrgA requires all other users to register and for these users OrgA issues the attributes.
If XACML supported issuer Id this could be simply modelled using two policyStatements, one for OrgB and one for everyone else, the appropriate one being loaded by the PDP from the PRP.
As I understand the present schema the only way to achieve this would be to add functionality to the PIP to call a OrgB's attribute issuer when handling OrgB.  This has two problems:  1) It is inflexible in that it becomes difficult to handle complex collaborations with multiple attribute issuers.  2) The policy has to be managed as two separate documents, one specifying the attributes and the second specifying who you trust to issue those attributes.
The addition of an optional AttributeIssuer would appear to resolve this issue.
John Howard

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC