[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [Issue] Any and All error semantics
Again, I tried to post this to the list but apparently failed. --bob Bob Blakley (email: blakley@us.tivoli.com phone: +1 512 436 1564) Chief Scientist, Security, Tivoli Systems, Inc. ---------------------- Forwarded by George Robert Blakley III/Austin/IBM on 08/20/2001 11:13 AM --------------------------- Hal Lockhart <hal.lockhart@entegrity.com> on 08/20/2001 08:28:36 AM Please respond to Hal Lockhart <hal.lockhart@entegrity.com> To: George Robert Blakley III/Austin/IBM@IBMUS cc: Subject: RE: [Issue] Any and All error semantics Your interpretations are correct. I will look at rewording the issue writeup. Your opinions are edifying, but why not share them with the list? Hal > -----Original Message----- > From: George Robert Blakley III [mailto:blakley@us.tivoli.com] > Sent: Wednesday, August 15, 2001 6:37 PM > To: Hal Lockhart > Subject: Re: [Issue] Any and All error semantics > > > My $0.0.2: > > ISSUE:[DS-12-01: AnyAllAttrReq] > > >Should an Attribute Assertion Request be allowed to specify > "ANY" and/or > >"ALL"? If so, what attributes should be returned and should > an error be > >returned in for ANY and for ALL in each of the following case: > > Yes, a request should be allowed to specify "ANY/ALL". > > >· Subject possesses all requested attributes > > ANY: All attributes returned, no error > ALL: All attributes returned, no error > > >· Subject possesses some of requested attributes, but the > others exist > > I don't understand what "but the others exist" means in this sentence. > If it means, "some subjects have these attributes according to this > attribute > authority, but the requested subject does not have these > attributes", then: > > ANY: All attributes which were requested and which the > subject possesses > are returned. No error. > ALL: No attributes are returned, no error. > > >· Subject possesses some of requested attributes, but others do not > >exist > > I don't understand what "but others do not exist" means in > this sentence. > If it means "this authority doesn't support some of the > requested attribute > types", then: > > ANY: All attributes which were requested and which the > subject posesses > are returned. No error > ALL: No attributes are returned. Error "attribute types > <xxx, yyy, ...> > not supported" > is returned. > > >· Subject possesses some requested attributes which are > not permitted > >to be returned to this relying party because of privacy policy > > ANY: All attributes which the subject possesses and which > *are* permitted > to > be returned, are returned. No error. > ALL: No attributes are returned, no error. > > NOTE: A security policy could also prohibit disclosure of attributes > (i.e. it doesn't have to be a privacy policy) > > >· Subject possesses none of requested attributes, but does possess > >others > > ANY: No attributes returned, no error > ALL: No attributes returned, no error > > >· All of attributes possessed by this subject are not > permitted to be > >returned to this relying party because of privacy policy > > ANY: No attributes returned, no error > ALL: No attributes returned, no error > > NOTE: A security policy could also prohibit disclosure of attributes > (i.e. it doesn't have to be a privacy policy) > > >· Attribute Authority has no information about this subject > > ANY: No attributes returned, error "unknown subject" returned > ALL: No attributes returned, error "unknown subject" returned > > --bob > > Bob Blakley (email: blakley@us.tivoli.com phone: +1 512 436 1564) > Chief Scientist, Security, Tivoli Systems, Inc. >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC