[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] request's attribute assertion lifetime?
> I tried to argue before: > > "...decisions for a single time T are not very useful in practice and we rely on > unspoken, implicit time-intervals for which we assume the validity of that > decision." I'll take issue with the above comment, especially "not very useful in practice". I might as well go home. Are any other people finding XACML not very useful in this regard? > and > > "The PEP actually makes use of that property to note implicitly or explicitly > that the current time is still within an acceptable range compared to the time > for which the decision was evaluated." > > In other words, we are already using time intervals for authorization decisions > and enforcement ... maybe it's time to acknowledge that and formalize it instead > of keeping it fuzzy and under the carpet. The only thing that is fuzzy is the specification of the Request Handler, and the PEP-PDP interface. It's fuzzy, because it isn't defined in XACML. Perhaps, it may be defined some where else. The Request Handler can make sure that all attributes are valid for the period of time necessary to caculate, or retrieve the access decision, deliver it to the PEP and have the PEP enforce the decision within that time. That time interval can even be a parameter to the Request Handler. "You must produce a value by time T and it must last until T+n" This means that all information given to the Reqeust Handler must be valid until T+n. Pretty easy stuff. Furthermore, if you are looking for validity periods for cached access decisions, the Request/Reply Handler can do that as well as it can calculate the validity periods for all attributes and intersect them together, and place that in something that wraps the decision, such as an Assertion. Are you looking for the PDP to calculate validity periods throughout the evaluation based on what attributes it may or may look at? That means if a policy doesn't look at an attribute, it's validity time doesn't enter into the validity interval of the decision? Cheers, -Polar > -Frank. > > -- > Frank Siebenlist franks@mcs.anl.gov > The Globus Alliance - Argonne National Laboratory >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]