OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Attribute validity times


XACML is currently based entirely on a model where only the current, 
valid attributes are presented to the PDP for each particular decision. 
It is assumed that the PEP/context handler has already validated the 

If your policy requirement is that an attribute be valid, for instance, 
many countries require that a passport is valid for at least six months 
before they let you into the country, you can model this with a specific 
attribute, like a "passport validity end date" in this case.


David Chadwick wrote:
> Dear WG
> I dont know if this issue has already been discussed before by the 
> group (I suspect it might have), but we have the following problem.
> The java interface to our PDP includes validity times for each subject 
> attribute. This allows attribute assertions (SAML, X.509 etc) to be 
> validated once in our  validation software (a time consuming process 
> especially if they are signed) and then used many times for multiple 
> decisions by the PDP.
> We have added an XACML request context interface to our PDP, but now 
> when the attributes are converted into XACML subject attributes, we 
> lose the validity times that our validation software has extracted and 
> placed alongside each attribute value.
> We could produce a "hack" workaround by adding an addition validity 
> time attribute to the set of subject attributes, but in the general 
> case each subject attribute can have different validity times, 
> especially when attribute assertions are obtained from multiple 
> attribute authorities.
> If the group has discussed this topic, what was your conclusion
> regards
> David

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]