All,
I have reopened issue 50, how to express and enforce maximum delegation
depth.
http://wiki.oasis-open.org/xacml/IssuesList
The current draft puts the delegation depth into the request as an
ordinary attribute. My colleague Olav Bandmann has raised the issue that
this makes possible to write complex rules regarding permitted
delegation depths, which introduces a path dependency in the reduction
process. We are worried that this makes the overall algorithm
computationally complex.
We do not know for sure what the consequences are and there are no
suggested solutions yet.
Regards,
Erik