I understand the importance of "bootstrapping" the Content Creation PEP. However, I'm not sure it's appropriate for the PDP to tell it its roles as outlined in v02. It seems to me that role (and other related information about the author) would come from the PIP and be delivered to the PDP as part of the initial bootstrap and authentication process. At that point, the PDP could reply with the set of policies available to the user.
Retrieving the list of policies is itself essentially another access control decision (i.e., what types of data is this user allowed to publish?). So it seems to make sense to follow the PEP/PIP/PDP model in this interaction too. It also allows for more flexibility in determining what policies to assign to the user, beyond just Role-based access control decisions. Scott Fitch Cyber Architect Lockheed Martin Enterprise Business Services _______________________________________________ plasma mailing list [email protected] https://www.ietf.org/mailman/listinfo/plasma
