OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] RE: Context Handler

On 2011-12-19 16:11, remon.sinnema@emc.com wrote:

-----Original Message-----
From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On
Behalf Of Erik Rissanen
Sent: Monday, December 19, 2011 4:02 PM
To: Sinnema, Remon
Cc: xacml@lists.oasis-open.org
Subject: Re: [xacml] RE: Context Handler

Hi Ray,

Ok, I understand, but I would say that this is a flaw in the
implementation in this case.
I don't think the spec is clear enough in this area. It doesn't define what exactly a PIP can and cannot do. If we make the description of the PIP clearer so that it explicitly can do more than retrieve values for attributes that are missing from the request, then I agree we don't need a REP.

However, I do wonder based on what information the PDP will decide to ask the PIP for more attribute values. Or do you propose the PDP always reaches out to all PIPs?



This is easy to control through the context handler setup/config. A context handler which is configured to always invoke a particular PIP is equivalent to deploying a "REP".

The XACML architecture is intended to be an abstract view of the big picture and applicable to many diverse environments, so it intentionally leaves out many details. Making it more detailed would clutter the architecture or make it less generally applicable. There are so many things it could cover, like caching, pre-fetching, communication protocols, when to invoke which PIP, etc. I prefer to keep it simple in the spec.

Best regards,

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]