> -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Fitch, Scott C > Sent: Thursday, August 04, 2011 1:57 PM > To: [email protected] > Subject: [plasma] PEP Bootstrapping > > I understand the importance of "bootstrapping" the Content Creation PEP. > However, I'm not sure it's appropriate for the PDP to tell it its roles as > outlined in v02. It seems to me that role (and other related information > about the author) would come from the PIP and be delivered to the PDP as > part of the initial bootstrap and authentication process. At that point, the > PDP could reply with the set of policies available to the user.
The model is operating under the impression that the "roles" an entity can assume is based not on configuration, but on application of policy information. This means that it is not a configured property, which would make it appropriate for a PIP but is computed based on the properties obtained from the PIP and the policy configuration in the PDP. Does this make sense? Is there something we can do to make this more clear? > > Retrieving the list of policies is itself essentially another access control > decision (i.e., what types of data is this user allowed to publish?). So it seems > to make sense to follow the PEP/PIP/PDP model in this interaction too. It also > allows for more flexibility in determining what policies to assign to the user, > beyond just Role-based access control decisions. > I believe this is what the document currently says. Do you see a need for changes here? Jim > > Scott Fitch > Cyber Architect > Lockheed Martin Enterprise Business Services > > > _______________________________________________ > plasma mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/plasma _______________________________________________ plasma mailing list [email protected] https://www.ietf.org/mailman/listinfo/plasma
