[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Thoughts on XACML Policy Model...
interesting. the nice thing about this idea is the potential decoupling from a reference time souce. depending upon the platform of choice 'time caching' (an effect that i have seen during development on nt where iterative calls for time in a single process use the first time retrieved repeatedly) may break the "AAA.timestamp < BBB.timestamp" model. this also applies to a distributed system whereby even minute time variations amongst machines may cause issues under very high volumes. b Subject: RE: Thoughts on XACML Policy Model... Date: Tue, 07 Aug 2001 10:02:09 -0400 From: Tim Moses <tim.moses@entrust.com> To: "'xacml@lists.oasis-open.org'" <xacml@lists.oasis-open.org> Simon - I like your suggestion concerning the best way to express "sequence". Perhaps, we could generalize it a little. There is at least one other common mechanism for capturing sequence. I refer, of course, to "digital signature": if one signature is within the scope of another signature, then the first signature must have been applied before the second one. If we were to allow your policy statement: "AAA.timestamp < BBB.timestamp" to be tested by examining the scopes of integrity seals, such as digital signatures, then we would be able to enforce sequence with a digital signature infrastructure, as well as with the (at present, much less common) timestamp infrastructure. We may be close to concluding that the RFC 3060 model, with modest extensions, is suitable for our needs. Best regards. Tim.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC