[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] [model] Proposal of Post Condition
I think I agree with Bill's position on this: the PDP should be just an evaluation engine. It can not be held responsible for enforcing any actions as a result of the evaluation. Post conditions, if we use them, should just be values that are returned to the PEP and are meaningful only to the PEP. It is up to the PEP to enforce them. I think the semantics of post conditions are hard to manage in access control unless we want the PDP to be far more than an evaluation engine. The one strong argument for PDP-enforced post conditions I have heard is that certain actions should be logged by the PDP, showing exactly how the result was obtained. I think this can probably be an implementation feature for a PDP, managed by PDP configuration and outside of the scope of XACML. It is not part of a policy. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC