OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [xacml] Proposed semantics for operations involving INDETERMI NATE


> >> The client shouldn't know what the operational errors of the PDP actually
> >> are. It it does, it breaks encapsulation of the PDP, and causes the
> >> clients of a PDP to worry about a lot more than Access Decisions, but
> also
> >> problems with the PDP.
> 
> >indeed! we break encapsulation at this level and we abandon all hope of
> >interoperability (we teeter perilously close to the abyss as it is...)
> 
> Completely disagree.  Every single security system differentiates between,
> say, "incorrect password" and "service not available".

Incorrect password--when passed *as one of the parameters* in the
query--is NOT an operational error. it is reasonable therefore, to have
defined a legitimate response reflecting the action taken. what is not
appropriate is expecting the PEP to take action because someone changed
the PDP's authentication information to access the PRP (preventing
policy retrieval): that is an operational error.

> In fact what we are discussing is that functions in the constraint may
> "throw exception", beside
> returning "true" or "false".  I think we do need clear protocol to
> communicate that - we should not
> lump together a case when no applicable rule was found with the case of
> database connection timed out..

i fundamentally disagree. you are asking the the authorization decision
conversation to encompass operational behaviors. to what end? let's
assume that there is a throw deep within the bowels of some external
function during policy evaluation. what is the PEP supposed to do with
that information? and if it doesn't understand the context of the
message? 

b




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC