OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] proposed amendment to Polar's resolution of PM-2-05

because it provides information on what is necessary to make a decision
for granting access. while this sounds appealing from a programmatic
perspective, it is a fundamental no-no in a security transaction because
it provides feedback for 'safecracking'. in other words, it allows a
nefarious entity to 'query' the system for information leading to


Anne Anderson - Sun Microsystems wrote:
> Bill, could you explain your problem?  Sometimes a PEP does not want to
> expose to the PDP all possible attribute values, but only those really
> needed.  By having the PDP supply a list of those attributes required
> for a decision, the PEP can send only those.  In fact, the PDP could
> return a structured set of attributes: "I could return a decision if
> you supply A, B, and C OR D and E."
> Another case is to support the Java Policy "getPermissions" API.  In
> this case, the PEP supplies a partial list of attributes, and gets back
> a list of Permissions (resource/action pairs) that remain as the only
> unknown attributes after substituting the supplied attributes into all
> the Permit rules.  So far, Java Security developers have not indicated
> any requirements for implementing this API, but it is a potential case.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC