Subject: external PDP and PolicyIdReference?
I remember having had some discussions in the past, where I brought up the requirement of calling out from a PDP to an external PDP, and I (even more vaguely) remember that someone tried to explain that you may be able to do that through a PolicyIdReference/PolicySetIdReference. It is clear that you could dynamically fetch a Policy/PolicySet through this mechanism by having a some handler resolve the URI and substitute the returned Policy statement, but I'm not clear how you could invoke an authz decision request to another PDP that would essentially return a Decision. Are there maybe other ways to achieve this? Or in order to support that, maybe we need an additional "PdpIdReference" URI that would have a different semantics: this would "somehow" resolve to an external PDP that would be invoked with the identical request context (possibly through a XACMLAuthzDecisionQuery), while the Decision of the Response would be substituted in-place for the normal Decision of an evaluated Policy? Thanks, Frank. -- Frank Siebenlist firstname.lastname@example.org The Globus Alliance - Argonne National Laboratory