OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-comment] The x500Name-match function is not clearly defined

Steven,

Thank you for your attention. XACML specifies (in section A.2) that the 
x500Name data type must use the LDAP form of encoding, so there should 
not be any ambiguity. It refers to a suffix, which is why the word 
"terminal" is used.

Best regards,
Erik

On 2011-01-24 07:03, Steven Legg wrote:
>
> The description of the x500Name-match function in Appendix A.3.14 of the
> XACML 3.0 core specification is ambiguous. The function operates on 
> values of
> the x500Name data-type, which despite its name uses the LDAP DN format 
> for
> its concrete syntax. The source of ambiguity in the function 
> definition comes
> from the fact that LDAP orders the RDNs in a distinguished name in the 
> opposite
> order to X.500.
>
> In my experience, the most common use case for matching of DNs after 
> straight
> equality matching is testing whether one entry (the descendant) is in the
> subtree of another entry (the ancestor), including the possibility 
> that they
> are the same entry. In X.500 terms this means testing whether the DN 
> of the
> ancestor is the same as, or a prefix of, the DN of the descendant. In 
> LDAP
> terms this means testing whether the DN of the ancestor is the same 
> as, or a
> suffix of, the DN of the descendant. It is plausible that this is what 
> the
> x500Name-match is meant to do so this is how I have implemented it. 
> However, it
> would better if the standard made this clear. I note also from the mail
> archives that the precise meaning of "some terminal sequence of RDNs" 
> is open
> to interpretation.
>
> Here is my suggestion for an improved description of the x500Name-match
> function:
>
>     This function shall take two arguments of
>     "urn:oasis:names:tc:xacml:1.0:data-type:x500Name" and shall return an
>     "http://www.w3.org/2001/XMLSchema#boolean";. It shall return "True" 
> if and
>     only if there is a contiguous sequence of RDNs in the second 
> argument that
>     includes the final (rightmost) RDN and is equal to the first argument
>     according to the x500Name-equal function.
>
>     For example, the following expression SHALL return "True":
>
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:x500Name-match">
> <AttributeValue 
> DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name"
> >ou=Finance,o=Acme</AttributeValue>
> <AttributeValue 
> DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name"
> >cn=John Smith,ou=Finance,o=Acme</AttributeValue>
> </Apply>
>
>     Note that LDAP encodes the RDNs in the reverse order to X.500. 
> XACML uses
>     the LDAP encoding for the x500Name data-type and this function is 
> defined
>     in terms of the LDAP ordering.
>
> Regards,
> Steven
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]