[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] request's attribute assertion lifetime?
>"...decisions for a single time T are not very useful in practice and we >rely on unspoken, implicit time-intervals for which we assume the validity >of that decision." Why? That are the ONLY decisions our system, for example, is interested in. We do not control customer data, and validity of such data does NOT map into simple intervals. There is NO "implicit time-interval". Decision is valid for a POINT in context space. Well defined, explicit point. There are no extended sets or intervals. I argue that there can be no such intervals if you do not know how every element in the context may depend on time (as it is most likely unknown to the PDP). >"The PEP actually makes use of that property to note implicitly or >explicitly that the current time is still within an acceptable range >compared to the time for which the decision was evaluated." >In other words, we are already using time intervals for authorization >decisions and enforcement ... maybe it's time to acknowledge that and >formalize it instead of keeping it fuzzy and under the carpet. No, we do not. There are most definitely, absolutely, no time intervals anywhere in my authorization decisions. They are done for a specific point in time. If I want to cache it, then the data source is responsible for determining whether it is OK for any dimension in the context. You can get the behavior you want by including the interval data as one of the dimensions of this POINT in the context, as, for example, Polar proposed. Daniel.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]