OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Capabilities in XACML

Perhaps this has been covered before, but in case not does anyone have any experience using XACML to implement "capabilities"?   By that, I think I mean that a local user (subject) obtains a list of "capabilities" ahead of time from a local PDP and presents those to presumably remote PEPs.  The remote PEPs then verify the capability assertion, possibly with help from a remote PDP before allowing access to the requested resource(s). 
I understand "capabilities" to be essentially integrity protected, data source-authenticated access control decisions.  I hope I have this right, as the literature I've seen so far has been vague.
At any rate, it is my impression that capability-based approaches can be helpful in distributed, chained situations that arise in multi-organization/domain transactions, so I am trying to understand what others have found in trying to do this, particularly with XACML (if that is possible) -- the good and the bad.
T. Llanso

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]