[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-comment] Re: Broken Rule in Privacy Policy Profile
Unless the function definition has changed in some way its URI should not be changed between versions. Doing so would break existing implementations. The URI just needs to be unique for each specific version of a function.
It seems sensible to use a convention to use the release number of the release where the new version was introduced and not changing it between releases until another new version is introduced.
Sorry if I misunderstood your comment. On 02/22/2012 09:53 PM, Steven Legg wrote:
The URI for the string-regexp-match function is wrong also (in the profile and in my suggested corrections). The version should be 1.0 rather than 2.0.Regards, Steven On 22/02/2012 9:58 AM, Steven Legg wrote:The rule in section 4.1 of Committee Specification 1 of the XACML v3.0 Privacy Policy Profile Version 1.0 is broken. The arguments to thestring-regexp-match function are both bags (<AttributeDesignator>) when theyshould be primitive values.Noting that it is reasonable for the purpose attributes to be multi-valued,a correct form for the condition would be: <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <Function FunctionId="urn:oasis:names:tc:xacml:2.0:function:string-regexp-match"/> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:2.0:resource:purpose" DataType="http://www.w3.org/2001/XMLSchema#string"/> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:2.0:action:purpose" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> </Condition> However, even when corrected, the rule is not as useful as it could be.The rule is described as stipulating "that access SHALL be denied unless the purpose for which access is requested matches ... the purpose for which thedata resource was collected" but the rule actually permits access if thepurposes match. The only way access is denied when the purposes don't match is if the specified rule is the *only* permit rule, which is a significantlimitation.A better formulation would be to change the effect to Deny and negate the condition so that when the purposes don't match, the overall effect is Deny regardless of whether any other rules permit or deny access. That is, I thinkthe rule should be: <Rule xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 xacml-core-v3-schema-wd-17.xsd" RuleId="urn:oasis:names:tc:xacml:2.0:matching-purpose" Effect="Deny"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <Function FunctionId="urn:oasis:names:tc:xacml:2.0:function:string-regexp-match"/> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:2.0:resource:purpose" DataType="http://www.w3.org/2001/XMLSchema#string"/> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:2.0:action:purpose" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> </Apply> </Condition> </Rule> Regards, Steven
-- Regards, Farrukh Najmi Web: http://www.wellfleetsoftware.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]