OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] canonicalization for XACML instances being signed

Anne Anderson wrote:
> For example, will an XACML
> Response be removed from its SAML DecisionStatement or SAML
> Assertion and put into some other envelope for retransmission?

at first glance it would seem that canonicalization is necessary under 
this scenario:

(from: Abstract Requirements for SAML AuthorizationDecisionQuery/Response)

5. Way to return an XACML Policy/PolicySet in a Decision as a
    condition that must evaluate to "Permit" in order for the
    Decision to be valid.  Way to indicate that such a condition
    is associated with the Decision.  Might be appropriate to put
    this condition and indication into the XACML Response Context

just kinda winging it here, but my thinking is that this may involve the 
chunking of policy(ies)(sets) from a source that may have a 
fundamentally different context than that of the PEP being responded to.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]