MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: Re: [xacml] change request: subject attribute designators
Although the client may have several identities due to different
authentication protocols, on the target side, should only have one
client identity associated with the application request because the client
selected only one protocol to authenticate to the target.
Initially people will probably be using XACML to handle access control
decisions on a target side of an application request, CORBA, SOAP, or
otherwise. So, one "access-subject" should be fine. Later, we can still
think of one "access-subject", but it can be a structured subject made up
of multiple principals.
Cheers,
-Polar
On Wed, 2 Oct 2002, Simon Godik wrote:
> Polar,
> I do agree with you that unique subj-category is the simpliest case.
> And it was my understanding for some time.
>
> We have to decide if the 'itegrated login' that is solved by sun with pam is
> a requirement
> that must be met in xacml 1.0. Pam specifically calls out a use case when
> user must be
> authenticated with more than one protocol.
>
> I would support postponing 'integrated login' till the next version, but in
> the mean time
> I wanted to have concrete proposal how to deal with it if we have to.
>
> Simon
>
>