OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Broken Rule in Privacy Policy Profile


The rule in section 4.1 of Committee Specification 1 of the XACML v3.0
Privacy Policy Profile Version 1.0 is broken. The arguments to the
string-regexp-match function are both bags (<AttributeDesignator>) when they
should be primitive values.

Noting that it is reasonable for the purpose attributes to be multi-valued,
a correct form for the condition would be:

  <Condition>
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
      <Function
        FunctionId="urn:oasis:names:tc:xacml:2.0:function:string-regexp-match"/>
      <AttributeDesignator MustBePresent="false"
        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
        AttributeId="urn:oasis:names:tc:xacml:2.0:resource:purpose"
        DataType="http://www.w3.org/2001/XMLSchema#string"/>
      <AttributeDesignator MustBePresent="false"
        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
        AttributeId="urn:oasis:names:tc:xacml:2.0:action:purpose"
        DataType="http://www.w3.org/2001/XMLSchema#string"/>
    </Apply>
  </Condition>

However, even when corrected, the rule is not as useful as it could be.
The rule is described as stipulating "that access SHALL be denied unless the
purpose for which access is requested matches ... the purpose for which the
data resource was collected" but the rule actually permits access if the
purposes match. The only way access is denied when the purposes don't match
is if the specified rule is the *only* permit rule, which is a significant
limitation.

A better formulation would be to change the effect to Deny and negate the
condition so that when the purposes don't match, the overall effect is Deny
regardless of whether any other rules permit or deny access. That is, I think
the rule should be:

  <Rule xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
    xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17
        xacml-core-v3-schema-wd-17.xsd"
    RuleId="urn:oasis:names:tc:xacml:2.0:matching-purpose"
    Effect="Deny">
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
          <Function
            FunctionId="urn:oasis:names:tc:xacml:2.0:function:string-regexp-match"/>
          <AttributeDesignator MustBePresent="false"
            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
            AttributeId="urn:oasis:names:tc:xacml:2.0:resource:purpose"
            DataType="http://www.w3.org/2001/XMLSchema#string"/>
          <AttributeDesignator MustBePresent="false"
            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
            AttributeId="urn:oasis:names:tc:xacml:2.0:action:purpose"
            DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </Apply>
      </Apply>
    </Condition>
  </Rule>


Regards,
Steven

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]