OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [xacml] 7.7 Obligations



>The PDP knows to send you a response with Permit with a obligation of
>http://www.overXeer.com/obligations/1. However, if the PDP evaluates the
>policy and it gets a Permit with http://www.adiron.com/obligations/45.
>What do you do?


The one little problem with this is that it matters very little whether PDP
understands what KIND of obligation it is OK to issue.
The only purpose of obligation existence is whether it can be FULFILLED.
Fulfilling an obligation is an essentially runtime action - so any PEP/PDP
communication protocol designed to affect the decision issued based on
applicability of an obligation will have to be a runtime feedback protocol.
Of the type:
"Here is PERMIT to enter, but sign up first"
"OK, but I forgot my name"
"Well, then DENY"

Is there any value in such protocol?  It would seem to me that it does not
matter at all whether PDP knows anything about obligations - it is just a
result that has a meaning known to the policy author and the policy consumer
- it should not be part of the standard..  We should only worry whether it
can be unambiguously computed.




Of course you do. If you are going to include those kind of obligations,
where do you think they are going to come from? They are just URIs.

So, your obligation has a URI:

http://www.overXeer.com/obligations/1

which states that "send with 128 bit encryption, *no* 56 bit
encryption".

Your PEP sends a request

<RequestContext>
  <subject>
  <resource>
  <action>
  <Understandable Obligations>
	<Obligation> http://www.overXeer.com/obligations/1 </Obligation>
	<Obligation> http://www.overXeer.com/obligations/2 </Obligation>
	<Obligation> http://www.overXeer.com/obligations/3 </Obligation>
	<Obligation> http://www.overXeer.com/obligations/4 </Obligation>
  </Understanble Obligation>
</RequestContext>


The PDP knows to send you a response with Permit with a obligation of
http://www.overXeer.com/obligations/1. However, if the PDP evaluates the
policy and it gets a Permit with http://www.adiron.com/obligations/45.

What do you do?

You can easily make the PDP return Deny without knowing anything about
the
PEP.




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC