On Thu, Oct 21, 2010 at 10:52:17AM -0500, Von Welch wrote:
> On Thu, Oct 21, 2010 at 10:33 AM, Nicolas Williams
> <[log in to unmask]> wrote:
> > On Thu, Oct 21, 2010 at 10:25:11AM -0400, Scott Cantor wrote:
> >> Given "valid" configurations of the various components, there aren't any
> >> other common sources of failure I can think of, but whatever might occur is
> >> really not something that ought to be visible to an application other than
> >> as missing or insufficient attributes. That's just a fact of life in a
> >> federated app.
> >
> > Agreed.
>
> Couple thoughts-
>
> You are assuming no one will have a policy that denies access based on
> the presence of an attribute? I personally think having a policy like
> that is a real bad idea, but people will try it if you don't prohibit
> it.
I'm not. A bit of context: we've had this discussion before, and the
conclusion was that we needed an attribute to indicate whether we have
all attributes that could be used in DENY ACL entries.
(The discussion I'm referring to took place in KITTEN WG several years
ago, and was specifically in the context of naming extensions and PACs.)
Nico
--
|