Fwd: [xacml] Multiple subjects in XACML

[Argyn <jawabean@gmail.com>]

---------- Forwarded message ----------
From: Argyn <jawabean@gmail.com>
Date: Feb 19, 2007 10:44 AM
Subject: Re: [xacml] Multiple subjects in XACML
To: Erik Rissanen <mirty@sics.se>


On 2/19/07, Erik Rissanen <mirty@sics.se> wrote:
> Hal raised the concern that this is a bug in 2.0, since there could for
> instance be multiple intermediate subjects, and this was a use case
> which 2.0 should handle.
>
> I wasn't a member of the TC when 2.0 was designed, so I don't know if it
> is a bug or a feature, but if it is a bug, it's a major one. If the
> multiple subjects are really considered to be distinct subjects, there
> are still no mechanisms by which policies can refer to them in a
> meaningful manner. If an attribute designator is used to fetch
> attributes from the request, it would mix up the attributes from
> different distinct subjects. This is the same problem which we had with
> multiple distinct IndirectDelegates, which is the reason I introduced
> the MultipleCondition, which could be used to constrain distinct
> indirect delegates.

we discussed it with Seth once. it looked strange to me when I first
read it. as far as I know XACML implementations support this feature
as it is written.

argyn