[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Fwd: Fwd: [xacml] Multiple subjects in XACML
sorry, this is so annoying that reply-to field from our mailing list doesn't have its address. i always hit "Reply" then realize that it's not going to the mailing list. ---------- Forwarded message ---------- From: Argyn <jawabean@gmail.com> Date: Feb 19, 2007 11:27 AM Subject: Re: Fwd: [xacml] Multiple subjects in XACML To: Erik Rissanen <mirty@sics.se> On 2/19/07, Erik Rissanen <mirty@sics.se> wrote: > Argyn wrote: > > ---------- Forwarded message ---------- > > From: Argyn <jawabean@gmail.com> > > Date: Feb 19, 2007 10:44 AM > > Subject: Re: [xacml] Multiple subjects in XACML > > To: Erik Rissanen <mirty@sics.se> > > > > > > On 2/19/07, Erik Rissanen <mirty@sics.se> wrote: > >> Hal raised the concern that this is a bug in 2.0, since there could for > >> instance be multiple intermediate subjects, and this was a use case > >> which 2.0 should handle. > >> > >> I wasn't a member of the TC when 2.0 was designed, so I don't know if it > >> is a bug or a feature, but if it is a bug, it's a major one. If the > >> multiple subjects are really considered to be distinct subjects, there > >> are still no mechanisms by which policies can refer to them in a > >> meaningful manner. If an attribute designator is used to fetch > >> attributes from the request, it would mix up the attributes from > >> different distinct subjects. This is the same problem which we had with > >> multiple distinct IndirectDelegates, which is the reason I introduced > >> the MultipleCondition, which could be used to constrain distinct > >> indirect delegates. > > > > we discussed it with Seth once. it looked strange to me when I first > > read it. as far as I know XACML implementations support this feature > > as it is written. > > > > argyn > > When you mean "support this feature as it is written", do you mean that > multiple subjects with the same subject category are not treated as > distinct subjects by implementations? > > Sorry, but I am just a bit confused by the "support" and "written", > since my interpretation of the writing is that distinct subjects with > equal categories are not supported. ;-) my fault, I wasnt clear enough. If they have the same category, they are treated as the same thing. so i simply unite the set of attributes of different subjects, if they have the same category. i really don't understand why is it like that in the spec, honestly, but that's what i implented. as far as i know, others do the same. i may even have a conformance test for this feature, not sure though argyn
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]