[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] 7.7 Obligations
>The PDP knows to send you a response with Permit with a obligation of >http://www.overXeer.com/obligations/1. However, if the PDP evaluates the >policy and it gets a Permit with http://www.adiron.com/obligations/45. >What do you do? The one little problem with this is that it matters very little whether PDP understands what KIND of obligation it is OK to issue. The only purpose of obligation existence is whether it can be FULFILLED. Fulfilling an obligation is an essentially runtime action - so any PEP/PDP communication protocol designed to affect the decision issued based on applicability of an obligation will have to be a runtime feedback protocol. Of the type: "Here is PERMIT to enter, but sign up first" "OK, but I forgot my name" "Well, then DENY" Is there any value in such protocol? It would seem to me that it does not matter at all whether PDP knows anything about obligations - it is just a result that has a meaning known to the policy author and the policy consumer - it should not be part of the standard.. We should only worry whether it can be unambiguously computed. Of course you do. If you are going to include those kind of obligations, where do you think they are going to come from? They are just URIs. So, your obligation has a URI: http://www.overXeer.com/obligations/1 which states that "send with 128 bit encryption, *no* 56 bit encryption". Your PEP sends a request <RequestContext> <subject> <resource> <action> <Understandable Obligations> <Obligation> http://www.overXeer.com/obligations/1 </Obligation> <Obligation> http://www.overXeer.com/obligations/2 </Obligation> <Obligation> http://www.overXeer.com/obligations/3 </Obligation> <Obligation> http://www.overXeer.com/obligations/4 </Obligation> </Understanble Obligation> </RequestContext> The PDP knows to send you a response with Permit with a obligation of http://www.overXeer.com/obligations/1. However, if the PDP evaluates the policy and it gets a Permit with http://www.adiron.com/obligations/45. What do you do? You can easily make the PDP return Deny without knowing anything about the PEP.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC