OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] Help on Condition ? <-- Obligations

I would be OK with any solution that allows sending an expression in a XACML response.

The second thought is "Why would we need obligations at all if we can send an arbitrary expression back?" What PEP should do with Obligations is not clearly defined anyway (at least it's not in normative sections). It means that obligation processing is very much implementation-specific now. It will remain implementation-specific if we use an arbitrary optional expression that can be sent back by PDP and analyzed by PEP.

What PEP is going to do with that is up to PEP. Where exactly we put the expression does not seem very important to me.




--- On Mon, 12/15/08, Seth Proctor <Seth.Proctor@sun.com> wrote:

> From: Seth Proctor <Seth.Proctor@sun.com>
> Subject: Re: [xacml-users] Help on Condition ? <-- Obligations
> To: xacml-users@lists.oasis-open.org
> Date: Monday, December 15, 2008, 2:18 PM
> I've been holding back on this discussion because
> I'm still somewhat unsure
> what I think of the issue. Generally, I agree with what
> Bill has suggested,
> that the notion of an "Obligation" is really
> different than what we want
> for notification, and while it can be used here it's
> further confusing an
> already (in my opinion) complex feature. On the other hand,
> I hate to
> introduce a new mechanism at this point, or rush to push
> Obligations into
> Rules without fully understanding what the impact here
> would be.
> 
> I do very much believe that notification is a strong
> use-case. With that
> in mind, I wonder what others would think about using the
> Status element
> for this application. My experience is that Status
> doesn't get used much,
> since you can't include any detail except on
> Indeterminate, and even
> then there's no abaility for a policy writer to provide
> status details.
> What about allowing Detail with a Status of Deny, and
> adding a new
> attribute (or something) to Rule that let you define the
> Detail? I'm
> making this up as I go along, but it seems like it might
> get us what
> we want without having to invent anything too new or
> confusing.
> 
> Thoughts?
> 
> 
> seth
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail:
> xacml-users-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]