[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] request's attribute assertion lifetime?
On 4 March, Polar Humenn writes: Re: [xacml] request's attribute assertion lifetime? > On Thu, 4 Mar 2004, Frank Siebenlist wrote: > > > I just came accross the fact that the request's attribute element has an > > optional InstantIssue element to indicate the date and time at which the > > attribute was issued, but you can't seem to specify a duration validity interval. > > > > Any reason for that? > > All values attributed to resources, subjects, and actions pertinent to > the Access Decision Request should be validated for the request. (Another > reason why the PDP shouldn't supply the "current-time", a serious fault, > IMHO). The XACML Policy does not do validation. The PDP performs access > decisions based on valid information. Agreed. The validity interval occurs in the structure containing the XACML Request Context. For example, a SAML Attribute Assertion. The SAML Assertion contains the Issuer name, the validity period, the signature, etc. By the time the Attribute gets to the PDP, it is assumed to be a valid Attribute. All checking must be done by the context handler and its minions. > The reason for this approach, is that we did not want XACML to become a > validation engine. The business of checking signatures, validity times, > handling cryptographic computational complexity, is all out of scope, and > that is easily divided and pawned off on some other entity, so XACML will > have to complicate is job with those matters. > > As far as Time goes, I never liked IssueInstant being in the > ReqeustContext. Furthermore, you can't search on it using a > AttributeDesignator, so it's existence is really moot, except, I guess, > for the XPath folks. I would like to suggest we remove it. We should either go whole hog and include everything XPath might be able to use, or clearly define what the XACML PDP handles and what the Context Handler handles. If we want to include things just for XPath access, wouldn't validity period be more important than IssueInstant? Do we want to open that can? Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]