MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [xacml] Erik absent from focus group this week
I'll chime in on the positive side: I agree with all these suggestions.
Perhaps we should also mention that the Context may include other
verified attributes of the Issuer obtained by the Context Handler from
sources other than other physical policies in a chain.
Anne
Tim Moses wrote:
> All - I have given a little thought to Eric's question about the naming
> of "delegate". My preference is to change "delegate" to "issuer" (see
> footnote). Of course, there is potential for confusion with the
> <PolicyIssuer> element. But, when seen in context (inside the <Target>
> element) its meaning should be clear.
>
> An alternative for <PolicyIssuer> would be <IssuerOfThisPolicy>. But,
> my preference is to leave it as <PolicyIssuer>.
>
> Perhaps we should talk about "administrative" policy, instead of
> "administration" policy, to align with "administrative" request, since
> "administration" request doesn't seem to convey the meaning well.
>
> Having evaluated a "pending policy", i.e. one that it is not "in force"
> because it contains a <PolicyIssuer> element, the contents of the
> <PolicyIssuer> element would be placed in the <Issuer> element of the
> administrative request context. The context handler may include
> additional verified attributes of the "policy issuer". As currently
> defined, we are allowing the issuer of a policy to include others of its
> attributes in addition to its names. We should mention that the context
> handler should only include attributes that it has verified (by
> unspecified means).
>
> Please "chime in" if you disagree.
>
> All the best. Tim.
>
> Footnote: the elements <Delegates>, <Delegate>, <DelegateMatch>,
> <DelegateAttributeDesignator>, <LaterDelegateAttributeDesignator>,
> <xacml-contect:Delegate> and <xacml-contect:LaterDelegate> are all
> impacted in a corresponding way.
>
>