[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Call for Obligations
Sampo, I think by now I have given up on the idea of obligations being optional. :) This is mainly due to added education from the others on the TC. Are we looking at at least standardizing some of the obligations like logging? Looking at http://wiki.oasis-open.org/xacml/DiscussionOnObligations, I am guessing Yes! Regards, Anil sampo@symlabs.com wrote: > Anil Saldhana writes: >> My use cases in mind are the following(please correct me wherever my >> understanding is wrong): >> a) Legitimate authorization request arrives at the PEP. PEP invokes >> the PDP. PDP comes back with 'PERMIT' and a set of obligations. PEP >> is unable to fulfill 1 or more obligations. PEP issues an error. What >> happened to the legitimate request? > > I understand you mean the authorization request was legit from global > perspective, assuming all information was available, but might seem > illegit when viwed locally, perhaps with some of the context or > information > inaccessible. > The conflict between PDP imposing Obligations that PEP can not > satisfy vs. PDP having "intelligently" chosen the alternate > Obligations that it "knows" PEP can satisfy is the key. At local > level any request that does not come with enough context or information > to satisfy Obligations MUST be considered illegit. If such request, > from global perspective should have been considered legit, then > we need to see if there was architectural or layering reason why > the PEP and PDP did not have available to them all the necessary > information. >> b) PDP issues a 'PERMIT' with a logging obligation. PEP does not want >> to log because performance considerations have been put forward and >> logging is low priority for the PEP. PEP issues an error. > > If PEP does not adher to rules set by PDP, then it does not play. If PDP > looses a lot of business because it makes onerous Obligations, then > it will either go out of business or change the Obligations. > I still do not see the case for making an Obligation optional. Either > it is sine-qua-non or it is not (and if it is not, why even bother > to state it). However, I do see that there may be alternate Obligations > or alternate ways of satisfying a higher level Obligation. > Cheers, > --Sampo > __________________________________________________________________ > Sym | Sampo Kellomaki ______| Identity Architect, Federated SSO > ____ | +351-918.731.007 ______| Liberty ID-WSF DirectoryScript > labs | skype: sampo.kellomaki | LDAP SOAP PlainDoc Crypto C Perl > -- Anil Saldhana JBoss Security & Identity Management http://labs.jboss.com/portal/jbosssecurity/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]