[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Validity periods in SAML Assertions
On 5 August, Daniel Engovatov writes: RE: [xacml] Validity periods in SAML Assertions > Is not it the context handler job to decide what is valid and what is > INDETERMINATE ? You missed my "Note": [Note: I say the "PDP" does certain things with respect to validity periods. Actually, of course, it is not the "PDP" that will make judgments about which SAML Assertions to use or about what validity period to put into a Response, but either a Context Handler or a SAML protocol handler outside even the Context Handler.] > PDP does not know what assertion is - it knows about named attributes > and, optionally, about request context XML representation. > Other problem is what is "used during evaluation"? One assertion may be > used in a rule evaluation, but the result of this rule will have no > effect on the evaluation result. If the result of a rule can have no effect on the evaluation result, regardless of the inputs to the rule, why is the rule being evaluated? Likewise, if the value of some Attribute can have no effect on the evaluation result, why is the constraint that uses the Attribute even present? I think both those cases are errors on the part of the policy creation tool. In general, if a Rule is evaluated, and various Attributes are requested to perform that evaluation, then the values of those Attributes or the value of that Rule will affect the result. If the value of an invalid Attribute is used, the result of the Rule might have been different had a valid Attribute (with a different value) been used. So, just as with computing Obligations, I think we could say that the validity period of the XACMLAuthzDecision Assertion SHOULD correspond to the intersection of the validity periods of all Assertions that were actually used during the evaluation, regardless of whether their current values made a difference or not. > It is also quite possible to make decision based on volatile data. > I suggest that we should say that context handler will review attribute > assertion validity when the data is requested by PDP, and return > INTEDERMINATE for invalid assertion. Validity of the Response assertion > should be left for the implementation to decide: as there may be other > data or factors, other then attribute assertions validity, that > determine that. But my question was, what criteria will the context handler use to decide that an attribute assertion is invalid? Will it be the current-dateTime in the Request or the current time at the PDP? My proposal was to use the latter. I agree there may be other data or factors, but they should never widen the validity period determined from the validity of the inputs. I amend my proposal to say that validity period should be NO GREATER THAN the intersection of the validity periods of the inputs. Anne > PROPOSAL: the PDP SHALL use only Assertions that are valid at the > PDP's evaluation time, regardless of the Request's > "current-dateTime" value. The PDP SHALL use the intersection of > the validity periods of all SAML Assertions used during the > evaluation as the validity period in its Response Assertion. The > PDP SHALL NOT use the "current-dateTime" in the Request Context > to determine which SAML Assertions to use. > > -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]