[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Attribute validity times
David, XACML is currently based entirely on a model where only the current, valid attributes are presented to the PDP for each particular decision. It is assumed that the PEP/context handler has already validated the attributes. If your policy requirement is that an attribute be valid, for instance, many countries require that a passport is valid for at least six months before they let you into the country, you can model this with a specific attribute, like a "passport validity end date" in this case. Regards, Erik David Chadwick wrote: > Dear WG > > I dont know if this issue has already been discussed before by the > group (I suspect it might have), but we have the following problem. > > The java interface to our PDP includes validity times for each subject > attribute. This allows attribute assertions (SAML, X.509 etc) to be > validated once in our validation software (a time consuming process > especially if they are signed) and then used many times for multiple > decisions by the PDP. > > We have added an XACML request context interface to our PDP, but now > when the attributes are converted into XACML subject attributes, we > lose the validity times that our validation software has extracted and > placed alongside each attribute value. > > We could produce a "hack" workaround by adding an addition validity > time attribute to the set of subject attributes, but in the general > case each subject attribute can have different validity times, > especially when attribute assertions are obtained from multiple > attribute authorities. > > If the group has discussed this topic, what was your conclusion > > regards > > David >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]