"I have a mind like a steel... uh... thingy." Patrick Logan's weblog.

Search This Blog

Friday, June 27, 2003

Capabilities vs. Access Control Lists

Phil Windley presents another effort (or two or three) to take some existing functionality and express it as an XML-based standard.

XACML is the language of the Policy Decision Point, of PDP. The PDP is the chunk of code that recieves access requests, checks to see whether they should be granted, and returns an appropriate response. The PDP is not necessarily the same as the place where credentials are stored. It merely needs access to that service, ideally via SPML. The PDP could be a module running in the local system or a remote system accessed over the Internet.

Again I have to plead ignorance and plea for the principles, guidelines, and scenarios for when to use this functionality. Why is this the right thing to do? Is it ready to use? When would I choose something else? I hope I can dig into the references and find this information.

For example why are ACLs the right model? A capability-based model might be more appropriate, e.g. as provided by Waterken.

No comments:

Blog Archive

About Me

Portland, Oregon, United States
I'm usually writing from my favorite location on the planet, the pacific northwest of the u.s. I write for myself only and unless otherwise specified my posts here should not be taken as representing an official position of my employer. Contact me at my gee mail account, username patrickdlogan.