Re: [xacml-dev] attribute retrieval protocol

[Seth Proctor <Seth.Proctor@Sun.COM>]

Anne's comment about the SAML profile is a good one. It will help with 
some of what you're trying to do. Let me point out something else.

On Oct 9, 2004, at 2:39 PM, Argyn wrote:
> [...]
> I thought if there wer XML schema to request attribute, then this 
> could work better in Web environment. A client sends XACML Request to 
> PDP server. Currently, it expects to get XACML Response with a 
> decision.
>  What if we change Response contract, making it return a request for 
> additional information. there'll be XACML scehma for a responce with 
> such a request.

What you're looking for is already available. When a Response is 
returned, it can contain Status, which in turn can include specific 
details about the evaluation. One use for this that the specification 
calls out is returning a Decision of Indeterminate, and including 
Status that names specific missing attributes, and optionally aceptable 
values for those attributes.

The specification got a little messed up in 1.x, but has been clarified 
in 2.0. It gives you exactly what you're looking for. Using this 
approach, the PEP and PDP can have a multi-message exchange until the 
PDP returns a non-Indeterminate Decision, or the PEP can no longer 
provide missing attributes.

I think the SAML info is still good to look at, since I would far 
prefer a system where the context handler can fetch attributes as 
needed, as opposed to constantly re-querying the PEP. However, in a 
system where you can't make attributes in your app available to the 
context hander, this Respose-driven mechanism should work for you.


seth