OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
Back to discussions
Expand all | Collapse all

Re: [xacml] 7.7 Obligations

  • 1.  Re: [xacml] 7.7 Obligations

    Posted 10-07-2002 14:35 
     MHonArc v2.5.2 -->


















    xacml message
    







    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [Elist Home]
    


    







    Subject: Re: [xacml] 7.7 Obligations
    







    



    On Mon, 7 Oct 2002, bill parducci wrote:

> this is in reference to the pEp (which doesn't do 'extra fancy rule and
> policy recombination algorithm' stuff).
>
> the idea is that *regardless* of what the pDp returns to the pEp in
> terms of an azn decision, the pEp DENIES access to the Resource by the
> Subject if the associated Obligation is not understandable.

It appears to me that this document merely describes a language, such that
when a formula of the language is well formed, when evaluated against a
specific valid input, yields a consistent result.

What the PEP does with that result is up to the PEP. This advice should be
non-normative. The normative part should only outline the specific manner
in which obligations are collected in a particular way, according to the
language, and delivered in the result.

Cheers,
-Polar


>
> b
>
> Daniel Engovatov wrote:
> >
> >
> >
> >>The PDP just collects obligations; it is not responsible for
> >>enforcing them.  The PEP is responsible for enforcing
> >>obligations.  If the PEP does not understand an obligation, it
> >>should deny access.
> >
> >
> > DENY?  What if it is using some extra fancy rule and policy recombination
> > algorithm that never returns denies - only PERMIT and NONAPPLICABLE.
> >
> > Maybe it should be worded such that it is up PEP MUST recognize this, but
> > what to do is up to an implemention?
> >
> > Daniel
> >
> > ----------------------------------------------------------------
> > To subscribe or unsubscribe from this elist use the subscription
> > manager: <http://lists.oasis-open.org/ob/adm.pl>
>
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>



    





    








    


    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [Elist Home]
    


    
  

    


    







    Powered by eList eXpress LLC


Related Content