[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] request's attribute assertion lifetime?
Ok - I'm running out of steam here with Daniel, you and me repeating our arguments - I'll give up... Regards, Frank. Polar Humenn wrote: >>I tried to argue before: >> >>"...decisions for a single time T are not very useful in practice and we rely on >>unspoken, implicit time-intervals for which we assume the validity of that >>decision." > > > I'll take issue with the above comment, especially "not very useful in > practice". I might as well go home. Are any other people finding XACML > not very useful in this regard? > > >>and >> >>"The PEP actually makes use of that property to note implicitly or explicitly >>that the current time is still within an acceptable range compared to the time >>for which the decision was evaluated." >> >>In other words, we are already using time intervals for authorization decisions >>and enforcement ... maybe it's time to acknowledge that and formalize it instead >>of keeping it fuzzy and under the carpet. > > > The only thing that is fuzzy is the specification of the Request Handler, > and the PEP-PDP interface. It's fuzzy, because it isn't defined in XACML. > Perhaps, it may be defined some where else. > > The Request Handler can make sure that all attributes are valid for the > period of time necessary to caculate, or retrieve the access decision, > deliver it to the PEP and have the PEP enforce the decision within that > time. That time interval can even be a parameter to the Request Handler. > "You must produce a value by time T and it must last until T+n" This means > that all information given to the Reqeust Handler must be valid until T+n. > Pretty easy stuff. > > Furthermore, if you are looking for validity periods for cached access > decisions, the Request/Reply Handler can do that as well as it can > calculate the validity periods for all attributes and intersect them > together, and place that in something that wraps the decision, such as an > Assertion. > > Are you looking for the PDP to calculate validity periods throughout the > evaluation based on what attributes it may or may look at? That means if a > policy doesn't look at an attribute, it's validity time doesn't enter into > the validity interval of the decision? > > Cheers, > -Polar > > >>-Frank. >> >>-- >>Frank Siebenlist franks@mcs.anl.gov >>The Globus Alliance - Argonne National Laboratory >> > > -- Frank Siebenlist franks@mcs.anl.gov The Globus Alliance - Argonne National Laboratory
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]