MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: [xacml] Re: env attributes
I should believe that values for the current-time, current-date, and
current-dateTime environmental attributes should be provided by the PEP,
not the PDP.
How can one force temporal evaluation schemes on the PDP for it to come up
with values for these attributes? One has no control over the evaluation,
especially if different pieces of the policy get evaluated at different
times. It is completely up to an implementation.
The client of the PDP, (i.e. a PEP) should be providing values for these
attributes in the request context. The PDP should NOT supply them.
Otherwise, you would get different answers for the same inputs given by
the client (i.e. a PEP).
In fairness to temporal reasoning, however, it is the onerous of the
client, i.e. PEP, in accordance with XACML semantics, to give these
attributes values that are considered valid with the temporal concerns of
an access decision.
Basic upshot: The current-time, current-date, and current-dateTime should
be required to come from the request context.
On Wed, 23 Oct 2002, Seth Proctor wrote:
> In section 10.3.5 of 18d, the spec calls out three attribute identifiers that
> the PDP must be able to handle specially (these are current-time, current-date,
> and current-dateTime). Is the idea that these would appear in an AD in a
> policy, and the PDP is supposed to know to resolve these values itself rather
> than looking in the Request? I think that's the idea, but it's not spelled
> out explicitly in the text.
> Also, these go on that list I started earlier of attributes that should be
> defined to always be of a particular type:
> subject-category string or URI
> resource-id string or URI
> scope string
> current-time ???
> current-date date
> current-dateTime dateTime
> Since each of these identifiers must be special-cased by the PDP, they must
> always be of a known type. There may be others that should be on this list,
> but most of the other identifiers are not treated in any special way by the
> PDP, so the type information is transparent to the PDP.
> seth
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC