OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] request's attribute assertion lifetime?


> I tried to argue before:
>
> "...decisions for a single time T are not very useful in practice and we rely on
> unspoken, implicit time-intervals for which we assume the validity of that
> decision."

I'll take issue with the above comment, especially "not very useful in
practice".  I might as well go home. Are any other people finding XACML
not very useful in this regard?

> and
>
> "The PEP actually makes use of that property to note implicitly or explicitly
> that the current time is still within an acceptable range compared to the time
> for which the decision was evaluated."
>
> In other words, we are already using time intervals for authorization decisions
> and enforcement ... maybe it's time to acknowledge that and formalize it instead
> of keeping it fuzzy and under the carpet.

The only thing that is fuzzy is the specification of the Request Handler,
and the PEP-PDP interface. It's fuzzy, because it isn't defined in XACML.
Perhaps, it may be defined some where else.

The Request Handler can make sure that all attributes are valid for the
period of time necessary to caculate, or retrieve the access decision,
deliver it to the PEP and have the PEP enforce the decision within that
time. That time interval can even be a parameter to the Request Handler.
"You must produce a value by time T and it must last until T+n" This means
that all information given to the Reqeust Handler must be valid until T+n.
Pretty easy stuff.

Furthermore, if you are looking for validity periods for cached access
decisions, the Request/Reply Handler can do that as well as it can
calculate the validity periods for all attributes and intersect them
together, and place that in something that wraps the decision, such as an
Assertion.

Are you looking for the PDP to calculate validity periods throughout the
evaluation based on what attributes it may or may look at? That means if a
policy doesn't look at an attribute, it's validity time doesn't enter into
the validity interval of the decision?

Cheers,
-Polar

> -Frank.
>
> --
> Frank Siebenlist               franks@mcs.anl.gov
> The Globus Alliance - Argonne National Laboratory
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]