OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

RE: [xacml] Validity periods in SAML Assertions

  • 1.  RE: [xacml] Validity periods in SAML Assertions

    Posted 08-05-2004 17:56
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: RE: [xacml] Validity periods in SAML Assertions


    On 5 August, Daniel Engovatov writes: RE: [xacml] Validity periods in SAML Assertions
     > Is not it the context handler job to decide what is valid and what is
     > INDETERMINATE ?
    
    You missed my "Note":
    
    [Note: I say the "PDP" does certain things with respect to
    validity periods.  Actually, of course, it is not the "PDP" that
    will make judgments about which SAML Assertions to use or about
    what validity period to put into a Response, but either a Context
    Handler or a SAML protocol handler outside even the Context
    Handler.]
    
     > PDP does not know what assertion is - it knows about named attributes
     > and, optionally, about request context XML representation. 
     > Other problem is what is "used during evaluation"?  One assertion may be
     > used in a rule evaluation, but the result of this rule will have no
     > effect on the evaluation result.
    
    If the result of a rule can have no effect on the evaluation
    result, regardless of the inputs to the rule, why is the rule
    being evaluated?
    
    Likewise, if the value of some Attribute can have no effect on
    the evaluation result, why is the constraint that uses the
    Attribute even present?
    
    I think both those cases are errors on the part of the policy
    creation tool.
    
    In general, if a Rule is evaluated, and various Attributes are
    requested to perform that evaluation, then the values of those
    Attributes or the value of that Rule will affect the result.  If
    the value of an invalid Attribute is used, the result of the Rule
    might have been different had a valid Attribute (with a different
    value) been used.
    
    So, just as with computing Obligations, I think we could say that
    the validity period of the XACMLAuthzDecision Assertion SHOULD
    correspond to the intersection of the validity periods of all
    Assertions that were actually used during the evaluation,
    regardless of whether their current values made a difference or
    not.
    
     > It is also quite possible to make decision based on volatile data.
     > I suggest that we should say that context handler will review attribute
     > assertion validity when the data is requested by PDP, and return
     > INTEDERMINATE for invalid assertion.  Validity of the Response assertion
     > should be left for the implementation to decide: as there may be other
     > data or factors, other then attribute assertions validity, that
     > determine that.
    
    But my question was, what criteria will the context handler use
    to decide that an attribute assertion is invalid?  Will it be the
    current-dateTime in the Request or the current time at the PDP?
    My proposal was to use the latter.
    
    I agree there may be other data or factors, but they should never
    widen the validity period determined from the validity of the
    inputs.  I amend my proposal to say that validity period should
    be NO GREATER THAN the intersection of the validity periods of
    the inputs.
    
    Anne
    
     > PROPOSAL: the PDP SHALL use only Assertions that are valid at the
     > PDP's evaluation time, regardless of the Request's
     > "current-dateTime" value.  The PDP SHALL use the intersection of
     > the validity periods of all SAML Assertions used during the
     > evaluation as the validity period in its Response Assertion.  The
     > PDP SHALL NOT use the "current-dateTime" in the Request Context
     > to determine which SAML Assertions to use.
     > 
     > 
    
    -- 
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]