OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] XACML Obligations and SAML Conditions (?)

Not sure if "considering" is the right wording ... as I understood it, it was a 
point of discussion that required resolution, and was added to the saml 2.0 todo 
list. I just send in my 5c before I forgot ;-)

-Frank.


Polar Humenn wrote:

> On Wed, 10 Sep 2003, Frank Siebenlist wrote:
> 
> 
>>In my mind, the issuer of an assertion vouches for the validity of the 
>>statement, and that the conditions clause should only apply to the validity of 
>>the statement as a whole.
>>
>>In the case of an xacml response, the obligations seems part of that response, 
>>and together constitute the statement. It is this complete statement that will 
>>be used by the pep after the validation of the assertion.
>>
>>To pull the obligations out and carry them in the saml's conditions doesn't seem 
>>to fit that model well.
> 
> 
> Ah, I got your point. I agree with you. The response carrying within an
> XACML response should be the captured as whole statement.
> 
> Were we really considering pulling obligations out into the Conditions?
> 
> Cheers,
> -Polar
> 
> 
>>-Frank.
>>
>>
>>Polar Humenn wrote:
>>
>>
>>>On Wed, 10 Sep 2003, Frank Siebenlist wrote:
>>>
>>>
>>>
>>>>My feel is that the saml condition is on the assertion level, while the xacml 
>>>>obligation is on the decision response level.
>>>>
>>>>Does it make sense to have the decision response including the obligations live 
>>>>outside of the assertion?
>>>>If the answer is yes, then that may have answered the question...
>>>
>>>
>>>I'm not quite sure what you mean.
>>>
>>>An obligation is part of the decision response. If we use the SAML
>>>Response to wrap this XACML response, By virtue of being a SAML Response,
>>>does that mean the XACML Response must be an Assertion? So, do you mean by
>>>turning the response into a SAML Assertion that we should strip the
>>>obligations out and put them some where else?
>>>
>>>-Polar
>>>
>>>
>>>
>>>>-Frank.
>>>>
>>>>
>>>
>>>
>>
> 

-- 
Frank Siebenlist              franks@mcs.anl.gov
The Globus Project - Argonne National Laboratory

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]