Re: [xacml-comment] Test IIB025

[Polar Humenn <polar@syr.edu>]

On Tue, 26 Nov 2002, tony wilson wrote:

> This test appears to be designed to illustrate a subject-id mismatch
> between the Subject in the Context Request ('Julius Hibbert'), and that
> in the Policy's Rule Target ('Julius'). This would lead to a 'not
> applicable' Response.
> However, the Subject Attribute in the Context Request does not specify
> an Issuer,  wheras the
> SubjectAttributeDesignator in the Rule Target does specify an Issuer.
> >From my reading of the Attribute matching portion of the spec (section
> 7.9.1), this should mean that the two attributes do not match and their
> values therefore cannot be compared.

They are compared and they do not match.

> As the PDP will thus be unable to resolve the correct subject-id
> attribute from the policy, the response should therefore be
> 'indeterminate'. Is this a correct interpretation?

No. The SubjectAttributeDesignator in the policy is asking for the values
that match a its criteria of which none can be found. This evaluates to an
empty bag, which makes the SubjectMatch vacously return false. Since there
is only one rule, the "deny-overrides" combining algorithm returns
Not-Applicable.

However, if the test were slightly different, such as if the
SubjectAttributeDesignator had its MustBePresent="true" then, an attribute
matching the designator criteria would indeed not be present. Then the
designator would raise an indeterminate, of which would lift up through
the rule evaluation as Indeterminate. The "deny-overrides" combining
alogorithm will preserve this and the policy would evaluate to
Indeterminate.

Cheers,
-Polar

>
> Cheers,
> Tony
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>