OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml-comment] A002

Anne Anderson - Sun Microsystems wrote:

>The intent of test A002 is to exercise one of the primary advantages of
>XACML: the ability to have the PDP side of the system obtain attributes
>that are not necessarily supplied by the PEP.  Section 7.9.2 covers this,
>although we were so careful not to specify a particular implementation
>that perhaps we were not specific enough.
>It is the "context handler" that is responsible for supplying attribute
>values, and it is the existence of a context handler that is independent
>of any physical XML Request document that is being tested in A002.  If
>we do not have a test of this kind, implementors can limit their
>capabilities to parsing an XML Request document using standard XML tools
>and retrieving attributes from that.  We have specifically stated that
>the Context is NOT to be considered as a physical XML document (although
>it is certainly based on some sort of document received from the PDP),
>and that attribute values are obtained from the context handler.
>I am posting this to the XACML list for discussion.  Do we want to require
>the functionality required by Conformance Test A001?

The test special instructions state that it is the PDP that is 
responsible for fetching
the attribute, but your comments above suggests that it is the 
responsibiliy of the
context handler to fetch the attribute and supply it to the PDP.

But, how does a context handler know which attributes are going to be needed
by the PDP... it'd have to either send everything it has access to in 
the PIP... or
do what the PDP would do in order to find out what the PDP is going to need.

So, therefore only the PDP knows which attributes are not available to 
it within
the request context, so it must issue the request for the attribute, but 
the spec
(7.9.2) specifically says that in this case the PDP returns Indeterminate.

Does anyone have a PDP that passes A002?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC