Re: [xacml-comment] Public Comment

[Polar Humenn <polar@syr.edu>]

On Wed, 21 Oct 2004 comment-form@oasis-open.org wrote:

> Comment from: diegog@lagash.com
>
> Hi,
>
> I found something strange during the implementation of the Variables. I've found there is a new element in the schema called Expression which is a common element for every "parameter" of the Apply. The idea is great because it makes the schema very simple.
> It means the Apply's inner elements can be any of the elements that can be treated as Expresions, where the Function elemet is also included.
>
> On other hand, the VariableDefinition also define it's value as an Expression which also includes the Function element. So the following Xml is validated by the schema:
>
> <VariableDefinition VariableId="variable">
> 	<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
> </VariableDefinition>
>
> The same happens with the Condition element, the following xml is also validated by the schema:
>
> <Condition>
> 	<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
> </Condition>
>
> The questions are:
>  - This is valid?
>  I've not found the explanation in the document if there is a variable
> that can contain a function.

The schema validity is only a syntax check. It doesn't say anything about
the more stringent semantic restrictions placed on the content of the
language, such as type checking. Obviously, you can write a schema valid
expression that isn't type correct, and therefore would not be valid
XACML. Such as applying "string-equal" to two integers.

It is true that any Expression may be a Function, which is in turn passed
to the application (Apply) of another function as an argument, such as
with the higher-order functions.

So, there should be no problem with a VariableDefinition being a Function.

The Condition, however, forces its contained expression to reduce to a
boolean value. A Function placed in a Condition as you have it, can only
be this, if it is a zero-ary function (i.e.  takes no arguments). A
zero-ary function is otherwise known as a constant, and is better off
being represented as a simple value, Nothing precludes that restriction
however. We do not define any zero-ary Functions, but that doesn't have to
stop your implemenation from doing so. :^) We just require that it not
return different values for different evaluations. That is to say that a
zero-ary function MAY NOT base it value on anything "outside" of the
XACML request, like weather, a zenner-diode, random-number, etc.

>  - In the case of the Condition I think this is not valid, but I'll like
> to hear your thoughts on this.

Hope that helps.

Cheers,
-Polar


>
> Hope you have time to answer the questions,
>
> Thanks in advance,
> Diego Gonzalez
> Lagash Systems SA
>