OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] pdp status element

That's definitly a very useful behaviour, which probably should be made default, and mandatory to implement.
 
But I do not think we should unnecesseraly limit the protocol to accomodate only for this usage. All
these issues may be solved at PEP level just as well - it is up to an application to interpret each possible result.
 
For example for credentials foo = 1 and spam = 0 two rules.
and policy
<
permit if (divide foo spam) > 1
permit if foo > 0
>
 
it does not seems absolutely clear to me that the result should be DENY (or PERMIT as well - there are may be choices..)
-----Original Message-----
From: Simon Godik [mailto:simon@godik.com]
Sent: Thursday, July 25, 2002 1:37 PM
To: xacml@lists.oasis-open.org
Subject: [xacml] pdp status element

Although I proposed Status element for the schema,
I think that if we view authorization as "proof-of-compliance"
ie: does a set of presented credentials prove that request complies
with a policy, I have to agree with Polar, that missing credential
should not raise an error but deny access.
 
Simon Godik
 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC