Skip to Content.
Sympa Menu

shibboleth-dev - XACML

Subject: Shibboleth Developers

List archive

XACML


Chronological Thread 
  • From: Scott Cantor <>
  • To:
  • Subject: XACML
  • Date: Fri, 08 Nov 2002 12:54:27 -0500
  • Importance: Normal
  • Organization: The Ohio State University

FYI, it just went out for public review, so it's a committee spec now.
That freezes things, structurally speaking, unless someone points out a
horrible mistake in their data model.

I'm about halfway through the spec, which is fairly complex. If I'm
understanding what I'm reading, XACML is no longer reliant on SAML for
anything, and does not use the same XML content models (let alone
schema) for the concepts that overlap (eg. Subjects, Attributes,
Request/Response, Authz Decisions).

Attributes are interesting, because they pretty much did in XACML what I
wanted SAML to do, namely uniquely identify all attributes by a URI and
dump the "sort of namespace but not really" concept that SAML uses but
doesn't define well enough to be a good idea.

Anyway, I'm not sure I see much direct relevance between the two specs
any more, and this seems to totally render SAML Authz Decision stuff
meaningless to me, so I guess I'm glad I ignored all that. ;-)

The schema is fairly complicated, but it does feel like it could
represent ARPs with some conventions on our part.

It also has some pretty obvious overlap with our discussions in LA about
how to select the right policy when you have duplicates or multiple
matching policies, so it could really help our formalism on that.

I sent off some inquries regarding the patent situation as well.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--



  • XACML, Scott Cantor, 11/08/2002

Archive powered by MHonArc 2.6.16.

Top of Page