[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] 7.7 Obligations
On Mon, 7 Oct 2002, bill parducci wrote: > that would be a contradiction to the decision made by the group some > months ago, and for good reason in my mind: if nothing can be assumed > about the intended use of the azn results, there is little hope of > reproducible access control. Decision or no decision, how does it make sense? What is a PEP? We know what a PDP is. It takes a well formed input and evaluates it against a well formed policy and yields a well formed result semantically consistent with the input and policy. There is a notion of conformity and compliance. Furthermore that compliances is based on mathematic principles. A PEP is merely a point in some application somewhere, that may or may not even call on a PDP, PRP, or a PIP. So, how can you place any coformance requirements on it? Are you going to call an application PEP compliant? Who would care? If you want to have compliance points based on obligations, they should be placed on the component we are defining, the PDP, to give you the correct decision. If the intended behavior is to deny access for non-understandable obligcations, perhaps, we should say that the PDP should be configured with "understandable" obligations, and to answer Deny if a decision of Permit comes up with any obligations not in the "understandable" set. Alternatively, we can put "understandable" obligations in the RequestContext, and the evaluation depends on those "understandable" obligations in the same manner. Cheers, -Polar > this is position also consistent with the solving the functionality > introduced in the original use case submitted by michiharu. > > b > > Polar Humenn wrote: > > > It appears to me that this document merely describes a language, such that > > when a formula of the language is well formed, when evaluated against a > > specific valid input, yields a consistent result. > > > > What the PEP does with that result is up to the PEP. This advice should be > > non-normative. The normative part should only outline the specific manner > > in which obligations are collected in a particular way, according to the > > language, and delivered in the result. > > > > Cheers, > > -Polar > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC