[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: #31: Passing arbitrary sets of Attributes in the request (Re: [xacml]Minutes of 27 April 2006 XACML TC Meeting)
#31: Passing arbitrary sets of Attributes in the request
(for use with subsequent potential delegates). Erik
thinks it would just make the request and its evaluation
more complex; would need a way to refer to these
"potential attributes". Are the Attributes "invisible"
until the associated delegate appears in the reduction?
Erik proposes passing such Attributes would be outside
the core specification. Implementation-specific Context
Handler is responsible for making these available when
appropriate. Erik thinks these should be added to the
SAML Profile. Alternative would be putting them in the
XACML Request. Profile would provide way to pass
Attributes in XACML Attribute format, so they don't have
to be converted back to SAML Attributes. Profile will
also need an ID element structure so Context Handler can
tell which identity various Attributes are associated
with.
Could Erik maybe elaborate on the issues raised?
I do not understand arguments that passing the attribute sets in the
request context makes the evaluation more complex.
What is the alternative? Wouldn't you always end-up with the equivalent
processing no matter how you pass them?
If you do not pass them in a "functional" argument, then you have to
rely on global state to pass those attribute sets, which is most of the
time undesirable.
We have the equivalent working in our Globus Toolkit authorization
Java-code for some time now...
Regards, Frank.
--
Frank Siebenlist franks@mcs.anl.gov
The Globus Alliance - Argonne National Laboratory
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]