Re: [xacml-users] XACML expressiveness (WAS: RE: [xacml-users] retrieving a list or query filter of resources the caller is authorized for)

[Yoichi Takayama <takayama.yoichi@gmail.com>]

The idea of using "Advice" for any purpose for access control is simply wrong at this stage unless the standard changes.

The standard states that a "PEP can safely ignore "Advice" without any problem".

How can you even think of using it???? Access control which is not enforceable is not an access control at all.

You can miss-use it to implement any capability but it is not a standard-based system and it can't be used mix-and-match with different PEP and PDP vendors. Interoperability is the purpose of a standard.

Miss-use or proprietary interpretation/implementation is of course OK for system or mechanism that are internal use only, but you should not claim that that is XACML compliant. It is only an XACML-like system (or partially compliant).

On the contrary, it is perfectly constructive to improve a standard by thinking which feature or capability can be altered/expanded, that requires the revision of the standard properly. That is all welcome, but I don't think that using the Advice or Obligation is either necessary or appropriate in these cases argued so far.

Yoichi


On 21/04/2010, at 2:15 AM, Oleg Gryb wrote:

>> 
>> This limitation was removed in 3.0, which allows expressions in
>> Obligation and Advice.
> 
> That's a good news, Paul, thanks! Is 3.0 still in draft? Do we have a confirmed release date for the final version?
> 
>> The TC decided that "Advice" was general enough. 
> If this is the case then what I've suggested for Ralf's use case shouod work, at least it shoud not contradict to semantics of "Advice", right? It not, please let me know why.
> 
>