RE: [xacml] Validity periods in SAML Assertions

[Anne Anderson <Anne.Anderson@Sun.COM>]

On 5 August, Daniel Engovatov writes: RE: [xacml] Validity periods in SAML Assertions
 > Is not it the context handler job to decide what is valid and what is
 > INDETERMINATE ?

You missed my "Note":

[Note: I say the "PDP" does certain things with respect to
validity periods.  Actually, of course, it is not the "PDP" that
will make judgments about which SAML Assertions to use or about
what validity period to put into a Response, but either a Context
Handler or a SAML protocol handler outside even the Context
Handler.]

 > PDP does not know what assertion is - it knows about named attributes
 > and, optionally, about request context XML representation. 
 > Other problem is what is "used during evaluation"?  One assertion may be
 > used in a rule evaluation, but the result of this rule will have no
 > effect on the evaluation result.

If the result of a rule can have no effect on the evaluation
result, regardless of the inputs to the rule, why is the rule
being evaluated?

Likewise, if the value of some Attribute can have no effect on
the evaluation result, why is the constraint that uses the
Attribute even present?

I think both those cases are errors on the part of the policy
creation tool.

In general, if a Rule is evaluated, and various Attributes are
requested to perform that evaluation, then the values of those
Attributes or the value of that Rule will affect the result.  If
the value of an invalid Attribute is used, the result of the Rule
might have been different had a valid Attribute (with a different
value) been used.

So, just as with computing Obligations, I think we could say that
the validity period of the XACMLAuthzDecision Assertion SHOULD
correspond to the intersection of the validity periods of all
Assertions that were actually used during the evaluation,
regardless of whether their current values made a difference or
not.

 > It is also quite possible to make decision based on volatile data.
 > I suggest that we should say that context handler will review attribute
 > assertion validity when the data is requested by PDP, and return
 > INTEDERMINATE for invalid assertion.  Validity of the Response assertion
 > should be left for the implementation to decide: as there may be other
 > data or factors, other then attribute assertions validity, that
 > determine that.

But my question was, what criteria will the context handler use
to decide that an attribute assertion is invalid?  Will it be the
current-dateTime in the Request or the current time at the PDP?
My proposal was to use the latter.

I agree there may be other data or factors, but they should never
widen the validity period determined from the validity of the
inputs.  I amend my proposal to say that validity period should
be NO GREATER THAN the intersection of the validity periods of
the inputs.

Anne

 > PROPOSAL: the PDP SHALL use only Assertions that are valid at the
 > PDP's evaluation time, regardless of the Request's
 > "current-dateTime" value.  The PDP SHALL use the intersection of
 > the validity periods of all SAML Assertions used during the
 > evaluation as the validity period in its Response Assertion.  The
 > PDP SHALL NOT use the "current-dateTime" in the Request Context
 > to determine which SAML Assertions to use.
 > 
 > 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692