Re: [xacml] request's attribute assertion lifetime?

[Polar Humenn <polar@syr.edu>]

Greetings,

Spring Break is over, I am back :)

On Wed, 10 Mar 2004, Frank Siebenlist wrote:

> [snip]

> Time is different than any other attribute as it moves in predictable ways. This
> is not a philosophical observation but is truly used.

True, which is exactly why we shouldn't go diving into throwing XML
attributes around to solve a complicated problem without major study.

XACML presently defines access control on attributes assumed to be valid,
whether that validity is based on time, issuer, signatures, which is all
up to the Request Handler. Admittedly, we do not have a specification for
the Request Handler (of which I think Daniel would like).

I can forsee, however, some form of XACML to handle the problem of
intervals, but if needed, as an extension, and only after significant
research in the area. Please keep in mind that intervals not only apply to
time. For instance, "Is Alice allowed on section of road R between points
A and B?"

We may tackle this problem by forming a specific committee to study the
issue for Intervals Based XACML or some such thingy. There is a lot of
research in temporal logics and such that may be helpful. However, I would
like to see a significant interest in the subject and commitment to study
before we attempt to solve one small use case, which can be solved by
formulating attributes in the way that Daniel described.

Cheers,
-Polar