[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] XACML Obligations and SAML Conditions (?)
Not sure if "considering" is the right wording ... as I understood it, it was a point of discussion that required resolution, and was added to the saml 2.0 todo list. I just send in my 5c before I forgot ;-) -Frank. Polar Humenn wrote: > On Wed, 10 Sep 2003, Frank Siebenlist wrote: > > >>In my mind, the issuer of an assertion vouches for the validity of the >>statement, and that the conditions clause should only apply to the validity of >>the statement as a whole. >> >>In the case of an xacml response, the obligations seems part of that response, >>and together constitute the statement. It is this complete statement that will >>be used by the pep after the validation of the assertion. >> >>To pull the obligations out and carry them in the saml's conditions doesn't seem >>to fit that model well. > > > Ah, I got your point. I agree with you. The response carrying within an > XACML response should be the captured as whole statement. > > Were we really considering pulling obligations out into the Conditions? > > Cheers, > -Polar > > >>-Frank. >> >> >>Polar Humenn wrote: >> >> >>>On Wed, 10 Sep 2003, Frank Siebenlist wrote: >>> >>> >>> >>>>My feel is that the saml condition is on the assertion level, while the xacml >>>>obligation is on the decision response level. >>>> >>>>Does it make sense to have the decision response including the obligations live >>>>outside of the assertion? >>>>If the answer is yes, then that may have answered the question... >>> >>> >>>I'm not quite sure what you mean. >>> >>>An obligation is part of the decision response. If we use the SAML >>>Response to wrap this XACML response, By virtue of being a SAML Response, >>>does that mean the XACML Response must be an Assertion? So, do you mean by >>>turning the response into a SAML Assertion that we should strip the >>>obligations out and put them some where else? >>> >>>-Polar >>> >>> >>> >>>>-Frank. >>>> >>>> >>> >>> >> > -- Frank Siebenlist franks@mcs.anl.gov The Globus Project - Argonne National Laboratory
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]