[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Alternative to Michiharu's proposal.
I think we should just stick to one PEP to one PDP. There is really no need to talk about multiple applications or multiple points within an application. I define a PEP to be a role of asking a single PDP for an access decision. So, it is implied that we are only talking about one PEP, i.e. "the PEP". A rewording is following as I already caught the same things bill caught on the rebound. -Polar On Wed, 9 Oct 2002, bill parducci wrote: > looks good, just a couple of things: > > seems to be some wording missing: > > > This use profile covers the a single PEP > > configured with a single PDP. > > should read (?): > > This use profile covers the CASE OF a single PEP > configured with a single PDP. > > same here: > > > Multiple PEP to PDP configurations outside > > the scope of this specification > > Multiple PEP to PDP configurations ARE outside OF the scope of this specification > > i don't think the word 'single' should apply to the PEP -- this model is independent upon the number of PEPs (as long as there is a single source of authorization). that said i propose that this be the text: > > > 7.1 Use Profile for XACML Request > > This section describes the use profile for using an XACML PDP in an application environment. This use profile covers the case off one or more PEPs configured to make authorization decision queries to a single PDP. Multiple PEP to PDP configurations are outside of the scope of this specification. > > An application functions in the role of the PEP if it guards access to a particular resource and asks the PDP for an access decision. The PEP that > asks the PDP for an access decision SHALL abide by the result of that access decision in the following way: > > A PEP SHALL allow access to the particular resource ONLY IF a valid XACML response of "Permit" is returned by the PDP. The PEP SHALL deny access to > the particular resource in all other cases. An XACML response of "Permit" SHALL be considered valid ONLY IF the PEP understands all of the > obligations that may be contained in the response. > > A PEP that receives a valid XACML response of "Permit" with obligations SHALL be responsible for fulfilling all of those obligations. A PEP that > receives a XACML response of "Deny" with obligations SHALL be responsible for fulfilling all of the obligations that it understands. > > > b > > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC