Subject: RE: [xacml] Concrete Proposal of ConditionReference (#7)

>Generating these unfortunate attributes should be constrained to the
>RequestHandler. Not the PDP. Ugghghhhhhhh!

Why not context handler?

>That is EXTREMELY unfortunate, and any product that does that I
>put any faith in, let alone buy. This is why standards must adhere to
>formalizisms that guarrantee the integrity of the products that are
>deployed. I am sorry you feel the way you do.

While this may be unfortunate, it may be inevitable.  Ever tried to
insist to a customer that you must have full control on when, how and
why THEIR data is supposed to be changing?   

When you try to make a local copy and synchronize all the PDP looking at
the same policy to it - you can actually make things worse, as you will
be working on stale data.

For a distributed system hooked up to a distributed data source that is
controlled BY SOMEONE ELSE, it is not practical to provide such a
guarantee - and in many cases it is not needed.

I believe we shall not make any assumptions about when and how context
data is provided.   Mathematically inelegant?  Yes.  Should we provide
an *option* to straiten this out - absolutely.  But not require that.


