OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Delegation with open attribute categories


Erik Rissanen wrote On 09/20/06 09:24,:
> Do you mean that both <Subject> and <Attributes Category="Subject">
> could be used?


> When it comes to access requests, I would guess that it is not a major
> problem. However, for delegation, I would suggest that we do not define
> a delegation model for the old formats. That would be very messy.
I agree.  We would not try to support new functionality with the old 

> But I am not sure what the gain would be. XACML 3.0 policies would not
> be understandable by a 2.0 PDP in any case. A 3.0 implementation can
> internally translate 2.0 policies into 3.0 form, so it could load both
> types of policies. Am I correct?
The gain is that every 3.0 PDP could load 2.0 policies, and not just 
those that choose to do internal translations.  We would essentially be 
making support by 3.0 PDP's for 2.0 policies mandatory.  The internal 
implementation would probably be a translation, but that is up to the 
3.0 PDP implementer.


> Regards,
> Erik
> Anne Anderson - Sun Microsystems wrote:
>>I know it is "messy", but would it make sense to try to support both
>>formats, just for backwards compatibility?  I know we have specified
>>an exact equivalence between each of the old category formats and a
>>corresponding id for a new category, but would it be possible to
>>actually support the old category formats in addition?
>>Just a thought and a question...
>>Erik Rissanen wrote On 09/20/06 08:55,:
>>>I have looked into how to map the delegation model in the new format
>>>with the open attribute categories. It turns out to work very well and
>>>the categories simplify the delegation specification a lot. Everything
>>>can be done with the normal matching rules and there is no need for any
>>>special delegation treatment, except for the process which generates the
>>>administrative requests. (I hope I am not overlooking anything here.)
>>>There is only one issue with indirect delegates. I have added issues
>>>49-52 in the issues list to cover what I have done so far:
>>>I suggest that, if people like this, I will update the delegation
>>>profile draft accordingly.
>>>What I have done solves issue 33 (how to match any delegate), so if
>>>people like my proposals, we could close that issue.
>>>Also, should we reopen issue 9, backwards compatibility? It is marked as
>>>closed since everything so far has been backwards compatible. The open
>>>categories are not directly backwards compatible, so that is not true
>>>Best regards,

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]