OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Delegation with open attribute categories

Do you mean that both <Subject> and <Attributes Category="Subject">
could be used?

When it comes to access requests, I would guess that it is not a major
problem. However, for delegation, I would suggest that we do not define
a delegation model for the old formats. That would be very messy.

But I am not sure what the gain would be. XACML 3.0 policies would not
be understandable by a 2.0 PDP in any case. A 3.0 implementation can
internally translate 2.0 policies into 3.0 form, so it could load both
types of policies. Am I correct?

Regards,
Erik

Anne Anderson - Sun Microsystems wrote:
> I know it is "messy", but would it make sense to try to support both
> formats, just for backwards compatibility?  I know we have specified
> an exact equivalence between each of the old category formats and a
> corresponding id for a new category, but would it be possible to
> actually support the old category formats in addition?
>
> Just a thought and a question...
>
> Regards,
> Anne
>
> Erik Rissanen wrote On 09/20/06 08:55,:
>> All,
>>
>> I have looked into how to map the delegation model in the new format
>> with the open attribute categories. It turns out to work very well and
>> the categories simplify the delegation specification a lot. Everything
>> can be done with the normal matching rules and there is no need for any
>> special delegation treatment, except for the process which generates the
>> administrative requests. (I hope I am not overlooking anything here.)
>> There is only one issue with indirect delegates. I have added issues
>> 49-52 in the issues list to cover what I have done so far:
>>
>> http://wiki.oasis-open.org/xacml/IssuesList
>>
>> I suggest that, if people like this, I will update the delegation
>> profile draft accordingly.
>>
>> What I have done solves issue 33 (how to match any delegate), so if
>> people like my proposals, we could close that issue.
>>
>> Also, should we reopen issue 9, backwards compatibility? It is marked as
>> closed since everything so far has been backwards compatible. The open
>> categories are not directly backwards compatible, so that is not true
>> anymore.
>>
>> Best regards,
>> Erik
>>
>>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]