OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: Thoughts on XACML Policy Model...


interesting. the nice thing about this idea is the potential decoupling
from a reference time souce. depending upon the platform of choice 'time
caching' (an effect that i have seen during development on nt where
iterative calls for time in a single process use the first time
retrieved repeatedly) may break the "AAA.timestamp < BBB.timestamp"
model. this also applies to a distributed system whereby even minute
time variations amongst machines may cause issues under very high
volumes.

b

Subject: 
RE: Thoughts on XACML Policy Model...
Date: Tue, 07 Aug 2001 10:02:09 -0400
From: Tim Moses <tim.moses@entrust.com>
To: "'xacml@lists.oasis-open.org'" <xacml@lists.oasis-open.org>

Simon - I like your suggestion concerning the best way to express
"sequence".  Perhaps, we could generalize it a little.  There is at
least one other
common mechanism for capturing sequence.  I refer, of course, to
"digital signature": if one signature is within the scope of another
signature, then the
first signature must have been applied before the second one.  If we
were to allow your policy statement: "AAA.timestamp < BBB.timestamp" to
be
tested by examining the scopes of integrity seals, such as digital
signatures, then we would be able to enforce sequence with a digital
signature
infrastructure, as well as with the (at present, much less common)
timestamp infrastructure.
 
We may be close to concluding that the RFC 3060 model, with modest
extensions, is suitable for our needs.
 
Best regards.  Tim.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC