directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <>
Subject Re: [AAA] Was: Re: Introducing myself
Date Thu, 01 Jan 1970 00:00:00 GMT

> The architecture and separation of concerns looks similar to XACML.  Cf, 
> for example, 

I agree Phil.  I have been thinking about borrowing some of the XACML 
and finding connection points with the AAA stuff.  I think both have 
aspects about them that are very similar.  XACML however has representations
for all parts that play in the diagram.  

> (see the data flow diagram on p. 19) with the "container" playing the 
> role of both the policy enforcement point and the policy decision point. 

>   Having these things separated and defining a (ideally open) protocol 
> to connect them provides deployment flexibility (PDPs can be remoted), 
> container independence and scalability benefits (the PDPs can cache 
> authorizations and provide HA services for multiple containers).   One 
> thing to consider would be to at least use XACML policly language to 
> represent authorization rules and policies.

Yes as I said it has a very expressive representation that's already defined.
The language definition to express these constructs is half the
battle and I think XACML is the future for such representations.  It 
also establishes the relationships between entities.  Vince take a look at
p.21 the relationships are already defined for us - this is what Phil is
talking about I think. 


View raw message