[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: #31: Passing arbitrary sets of Attributes in the request (Re: [xacml]Minutes of 27 April 2006 XACML TC Meeting)
#31: Passing arbitrary sets of Attributes in the request (for use with subsequent potential delegates). Erik thinks it would just make the request and its evaluation more complex; would need a way to refer to these "potential attributes". Are the Attributes "invisible" until the associated delegate appears in the reduction? Erik proposes passing such Attributes would be outside the core specification. Implementation-specific Context Handler is responsible for making these available when appropriate. Erik thinks these should be added to the SAML Profile. Alternative would be putting them in the XACML Request. Profile would provide way to pass Attributes in XACML Attribute format, so they don't have to be converted back to SAML Attributes. Profile will also need an ID element structure so Context Handler can tell which identity various Attributes are associated with. Could Erik maybe elaborate on the issues raised? I do not understand arguments that passing the attribute sets in the request context makes the evaluation more complex. What is the alternative? Wouldn't you always end-up with the equivalent processing no matter how you pass them? If you do not pass them in a "functional" argument, then you have to rely on global state to pass those attribute sets, which is most of the time undesirable. We have the equivalent working in our Globus Toolkit authorization Java-code for some time now... Regards, Frank. -- Frank Siebenlist franks@mcs.anl.gov The Globus Alliance - Argonne National Laboratory
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]