[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Re: env attributes
Except that I believe we say explicitly that "current-time", etc. is the time at the PDP. How is the PEP supposed to know the time at the PDP? Maybe we need current-PDP-time, etc. and current-PEP-time, etc. :-) Anne "Polar Humenn" <polar@syr.edu> wrote: >Date: Wed, 23 Oct 2002 15:08:56 -0400 (EDT) > >I should believe that values for the current-time, current-date, and >current-dateTime environmental attributes should be provided by the PEP, >not the PDP. > >How can one force temporal evaluation schemes on the PDP for it to come up >with values for these attributes? One has no control over the evaluation, >especially if different pieces of the policy get evaluated at different >times. It is completely up to an implementation. > >The client of the PDP, (i.e. a PEP) should be providing values for these >attributes in the request context. The PDP should NOT supply them. >Otherwise, you would get different answers for the same inputs given by >the client (i.e. a PEP). > >In fairness to temporal reasoning, however, it is the onerous of the >client, i.e. PEP, in accordance with XACML semantics, to give these >attributes values that are considered valid with the temporal concerns of >an access decision. > >Basic upshot: The current-time, current-date, and current-dateTime should >be required to come from the request context. > >Cheers, >-Polar > >On Wed, 23 Oct 2002, Seth Proctor wrote: > >> >> In section 10.3.5 of 18d, the spec calls out three attribute identifiers that >> the PDP must be able to handle specially (these are current-time, >current-date, >> and current-dateTime). Is the idea that these would appear in an AD in a >> policy, and the PDP is supposed to know to resolve these values itself rather >> than looking in the Request? I think that's the idea, but it's not spelled >> out explicitly in the text. >> >> Also, these go on that list I started earlier of attributes that should be >> defined to always be of a particular type: >> >> subject-category string or URI >> resource-id string or URI >> scope string >> current-time ??? >> current-date date >> current-dateTime dateTime >> >> Since each of these identifiers must be special-cased by the PDP, they must >> always be of a known type. There may be others that should be on this list, >> but most of the other identifiers are not treated in any special way by the >> PDP, so the type information is transparent to the PDP. >> >> >> seth >> > > >---------------------------------------------------------------- >To subscribe or unsubscribe from this elist use the subscription >manager: <http://lists.oasis-open.org/ob/adm.pl> Anne ------ Anne Anderson Anne.Anderson@Sun.COM Sun Microsystems Laboratories Burlington, MA 781-442-0928
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC