[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] request's attribute assertion lifetime?
>You can get the behavior you want by including the interval data as one >of the dimensions of this POINT in the context, as, for example, Polar >proposed. P.S. To elaborate: If the PDP is interested on whether it can use the access decision from time A to time B, it can include A and B as information in the request. Then you will get an explicit result: {GRANT given A, B}. Then you have a defined context, that includes information on access time interval, and any other such information. Nothing is "implicit". I assert that in a general case one can not assume that any of the context data can be determined to be valid over some defined period of time and that this can be used to compute A and B from within the PDP. So we must use a countable subset in the context space. That's where I would draw a "line" that Polar referred to: authorization should be done against a countable subset of context data. Daniel.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]