MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: RE: [xacml] Erik absent from focus group this week
Title: RE: [xacml] Erik absent from focus group this week
All - I have given a little thought to Eric's question about the naming of "delegate". My preference is to change "delegate" to "issuer" (see footnote). Of course, there is potential for confusion with the <PolicyIssuer> element. But, when seen in context (inside the <Target> element) its meaning should be clear.
An alternative for <PolicyIssuer> would be <IssuerOfThisPolicy>. But, my preference is to leave it as <PolicyIssuer>.
Perhaps we should talk about "administrative" policy, instead of "administration" policy, to align with "administrative" request, since "administration" request doesn't seem to convey the meaning well.
Having evaluated a "pending policy", i.e. one that it is not "in force" because it contains a <PolicyIssuer> element, the contents of the <PolicyIssuer> element would be placed in the <Issuer> element of the administrative request context. The context handler may include additional verified attributes of the "policy issuer". As currently defined, we are allowing the issuer of a policy to include others of its attributes in addition to its names. We should mention that the context handler should only include attributes that it has verified (by unspecified means).
Please "chime in" if you disagree.
All the best. Tim.
Footnote: the elements <Delegates>, <Delegate>, <DelegateMatch>, <DelegateAttributeDesignator>, <LaterDelegateAttributeDesignator>, <xacml-contect:Delegate> and <xacml-contect:LaterDelegate> are all impacted in a corresponding way.