OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Dynamic Attributes versus Existing Attributes


I've been considering the issue of how to handle dynamic attributes generated by the Dynamic
Attribute Authority that are attributes already in the request context (see Section 3.4 of
https://www.oasis-open.org/apps/org/workgroup/xacml/download.php/68861/xacml-3.0-dyn-attr-v1.0-wd03.docx ).

The three main options are "merge", "dynamic attribute overrides" and "existing attribute
overrides". There are straightforward ways to get the effect of "merge" or "existing attribute
overrides", whatever the default behaviour, by judicious use of the issuer field and the
existing DAA obligations, but not in the case of "dynamic attribute overrides". This would
suggest that "dynamic attribute overrides" should be the default, though it feels a bit like a
sledgehammer and isn't the path of least resistance.

XACML allows the same attribute to appear multiple times in the request, with one or more
possibly-duplicated attribute values in each instance, so tacking on a few more generated by
the DAA is trivially easy and is likely to involve the least disruption to existing context
handler implementations. This is the "merge" option. The current DAA draft merges while
avoiding adding duplicate values, but it would be simpler to not worry about duplicates since
they rarely matter and there are a few ways to avoid them if required.

If "merge" is the default then I would propose adding a new obligation so as to get the effect
of "dynamic attribute overrides" when desired. Call it the ignore-initial-values obligation.
It would have the same components as the exclude-all-values obligation and its effect would be
to cause the context handler the exclude any original values of the nominated attribute from
the request context.

If I don't hear any arguments to the contrary, in the next DAA draft I will keep "merge" as
the nominal behaviour, except in the presence of an ignore-initial-values obligation, and drop
the need to check for duplicates. I'll add a non-normative section on ways to get the
different behaviours.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]