OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] change request: subject attribute designators

  • 1.  Re: [xacml] change request: subject attribute designators

    Posted 10-03-2002 16:24
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] change request: subject attribute designators


    
    Although the client may have several identities due to different
    authentication protocols, on the target side, should only have one
    client identity associated with the application request because the client
    selected only one protocol to authenticate to the target.
    
    Initially people will probably be using XACML to handle access control
    decisions on a target side of an application request, CORBA, SOAP, or
    otherwise. So, one "access-subject" should be fine. Later, we can still
    think of one "access-subject", but it can be a structured subject made up
    of multiple principals.
    
    Cheers,
    -Polar
    
    On Wed, 2 Oct 2002, Simon Godik wrote:
    
    > Polar,
    > I do agree with you that unique subj-category is the simpliest case.
    > And it was my understanding for some time.
    >
    > We have to decide if the 'itegrated login' that is solved by sun with pam is
    > a requirement
    > that must be met in xacml 1.0. Pam specifically calls out a use case when
    > user must be
    > authenticated with more than one protocol.
    >
    > I would support postponing 'integrated login' till the next version, but in
    > the mean time
    > I wanted to have concrete proposal how to deal with it if we have to.
    >
    > Simon
    >
    >