On Sat, Oct 23, 2010 at 1:34 PM, Scott Cantor <[log in to unmask]> wrote:
>> My proposal: add one special attribute whose meaning is "not all
>> attributes are available [due to transient failures]". Just as one
>> might have an attribute whose meaning is "all attributes suitable for
>> matching DENY ACL entries have been obtained".
>
> Actually that's appealing, as it's not an API change, and it gives me a way
> to expose failures to web applications as Von was suggesting.
I agree. It would make it straight-forward to write into any
attribute-based policy language that you require all attributes to be
available for a particular clause. Plus any logging of attributes
gives you an indication of the result of the gathering process.
Von
--
Von Welch Consulting, LLC
Technical Leadership for Distributed Cyberinfrastructure,
Cybersecurity and Federated Identity
[log in to unmask]
www.vonwelch.com
(217) 621-2795
|