Hi All, I have written a document for the OGSA AuthZ WG that discribes how we use obligations in the privilege project for the Open Science Grid. I have uploaded the document to grid forge at /projects/ogsa-authz/document/SAML-Obligation-Extensions-used-in-OSG/en/1. In short I decided to follow David's proposal for an ObligatedAuthorizationDecisionStatement but used the "Obligation" element as an extension point. I then implemented an XACML Obligation. (others could choose to implement PonderObligation) I found that all the obligations I want to convey are naturally expressed as attribute assignments (see examples in the document). While there may be semantic negotiation issues (which we also have for standard attributes) I like the possible integration path with XACML over SAML and the ease with which I can define an obligation in an XACML policy and have it with no effort appear in the decision statement. I continue to believe that we should move away from the SAML Authorization Decision Statement towards the use of XACML over SAML in the long run. (see my email from Sept. 23, 2004) I won't be able to attend GGF13. Hope y'all have a great meeting Markus ---------------------------------------------------------------- Markus Lorch Department of Computer Science Phone: +1 540 231 5914 Virginia Tech, m/c 106 Fax: +1 540 231 6075 Blacksburg, VA 24061, U.S.A. http://people.cs.vt.edu/~mlorch