[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Capabilities in XACML
Perhaps this has been covered before, but in case not does anyone have any experience using XACML to implement "capabilities"?
By that, I think I mean that a local user (subject) obtains a list of "capabilities" ahead of time from a local PDP and presents those to presumably remote PEPs. The remote PEPs then verify the capability
assertion, possibly with help from a remote PDP before allowing access to the requested resource(s).
I understand "capabilities" to be essentially integrity protected, data source-authenticated access control decisions. I hope I have this right, as the literature I've seen so far has been vague.
At any rate, it is my impression that capability-based approaches can be helpful in distributed, chained situations that arise in multi-organization/domain transactions, so I am trying to understand
what others have found in trying to do this, particularly with XACML (if that is possible) -- the good and the bad.
Thanks,
T. Llanso
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]