OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Attribute validity times

Hi David.

> [...]
> Yes, you can implement the hack you mention below, where you add a new 
> validity time attribute for every RC subject attribute, but a better 
> solution would to be to change the XML to allow optional validity times to 
> accompany each attribute, with default values of start now and never end. 
> This achieves backwards compatibility, but allows validity times to be 
> incorporated naturally with attribute values.

I agree with (what I think) Erik was suggesting, that the PEP/PIP is really
responsible for validity. From a policy evaluation point of view, the
PDP assumes that any input provided to evaluating a given policy is still
valid. A central piece of the XACML model is that the PDP is insulated
from the rest of the world: it assumes the attributes it's provided are
valid, and uses these to evaluate a policy.

Put another way, XACML defines the policy processing model, not the way
that interaction happens with the rest of the world. Yes, there is the
context schema which defines a standard, simple XACML Request that carries
only the core values that can drive evaluation. There's also SAML, which
should allow you to define validity periods or other constraints on any
attributes you need to provide. 

We could change the Request format to include validity periods, but what
effect would this have? It sounds to me like it would require the PDP
to consider validity of attribute values with each use, or at the point
in time that evaluation started, or some other metric. It would also
mean that we'd have to have some unified notion of time in a distributed
system, which is hard (well, provably impossible, but in practice there
are reasonable schemes for well-connected nodes).

I think what you really want is what SAML provides. The ability to put
constraints on attributes up to the point where some entity queries a
PDP for evaluation. I strongly believe that the PDP itself should not
have any role in determining the validity of attributes presented to it,
and that's really what we'd be talking aobut if the context schema
itself changed.

Erik - sorry for jumping in here :) Feel free to disagree..


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]