> 3. pdp can maintain group hierarchy locally.
by this, you mean in a practical sense, right? in other words, this
device is acting as the PDP as well as the PxP? (sorry, it is early and
the name of the reference/information entity isn't not coming to mind
:o)
or, are we assuming that the pdp is also a repository of referential
data and not just decision making logic?
phrased another way: how granular are we going to get with our model? it
seems that there is significant variance on the playground and i don't
think we have driven that stake into the ground yet. or have we?
b
>
> Pdp can maintain a policy on how to compute group closure for various
> subjects and resources.
> This policy could specify combinations of 1, 2, and 3.
>
> One policy could be that evidence from the request should be ignored,
> and direct group membership should be taken from attribute
> authorities,
> and group hierarchy should be kept in the pdp.
> In this case input from 1 is ignored and 2 is used in 3 for closure
> computation.
>
> Or we can take group membership from the evidence in the request only.
>
> Allowing pdp to specify a policy for group membership computation
> provides for the most
> flexibility.
>
> Simon Godik
> Crosslogix