New Topic: Other miscellaneous concerns

["Hal Lockhart" <hlockhar@bea.com>]

Prateek asked:

> How can we know the kinds of questions a PEP will ask of a PDP?

I am not sure what was intended here. Perhaps this was covered under the
discussion of Policy Inputs.

> Ability to bind administrator identity to policy

>Accomplished via trust model between PAP and PR

>Could take the form of TLS/SSL or use of digital signatures

>No real expansion of specifications required here

> Policy repository ensures that only policy originators can edit or
delete existing policy

This is correct. However note that the Administration/Delegation
functionality of XACML 3.0 changes this significantly. Some stakeholders
envision a considerably more dynamic policy environment where policies
may arrive with the request and be applied only for a single decision.


> Administrators should be able to browse and refer to existing policies
in new policies

>Ability to reference existing policies available via
<xacml:PolicyIdReference> element but processing rules undefined

>May need some profiling to be useful in an interoperable fashion

It is not clear to me that anything is needed here. Clearly a PAP can
treat a Policy ID as opaque text. Whether or not Policy ID References
are used, the PAP and PDP have to know how to find where policies are
stored. Presumably this includes reading and writing by ID. This seems
like a straightforward thing to do with say a relational database. The
same could be defined for LDAP, although many would say policies are too
volatile to be stored in LDAP.

What do you have in mind here? Once again the main thing that is needed
is people who are willing to contribute. Usecases would be a good start.

Hal