OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-comment] Re: Broken Rule in Privacy Policy Profile



Doh! I get it now. Sorry for my misunderstanding.

On 02/23/2012 06:31 PM, Steven Legg wrote:

Hi Farrukh,

I was just pointing out that the privacy profile uses:

    urn:oasis:names:tc:xacml:2.0:function:string-regexp-match

as a FunctionId, but this is not a URI defined in the core specification.
I just cut and pasted that URI into my message without checking its
validity. The core specification does define the remarkably similar:

    urn:oasis:names:tc:xacml:1.0:function:string-regexp-match

which is presumably the function that was intended to be used by the
privacy profile.

Regards,
Steven

On 24/02/2012 12:39 AM, Farrukh Najmi wrote:

Unless the function definition has changed in some way its URI should not be changed between versions. Doing so would break existing implementations. The URI just needs to be unique for each specific version of a
function.

It seems sensible to use a convention to use the release number of the release where the new version was introduced and not changing it between releases until another new version is introduced.

Sorry if I misunderstood your comment.

On 02/22/2012 09:53 PM, Steven Legg wrote:

The URI for the string-regexp-match function is wrong also (in the profile and in my suggested corrections). The version should be 1.0 rather than 2.0.

Regards,
Steven

On 22/02/2012 9:58 AM, Steven Legg wrote:

The rule in section 4.1 of Committee Specification 1 of the XACML v3.0
Privacy Policy Profile Version 1.0 is broken. The arguments to the
string-regexp-match function are both bags (<AttributeDesignator>) when they
should be primitive values.

Noting that it is reasonable for the purpose attributes to be multi-valued,
a correct form for the condition would be:

<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
<Function
FunctionId="urn:oasis:names:tc:xacml:2.0:function:string-regexp-match"/>
<AttributeDesignator MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
AttributeId="urn:oasis:names:tc:xacml:2.0:resource:purpose"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
<AttributeDesignator MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
AttributeId="urn:oasis:names:tc:xacml:2.0:action:purpose"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>

However, even when corrected, the rule is not as useful as it could be. The rule is described as stipulating "that access SHALL be denied unless the purpose for which access is requested matches ... the purpose for which the data resource was collected" but the rule actually permits access if the purposes match. The only way access is denied when the purposes don't match is if the specified rule is the *only* permit rule, which is a significant
limitation.

A better formulation would be to change the effect to Deny and negate the condition so that when the purposes don't match, the overall effect is Deny regardless of whether any other rules permit or deny access. That is, I think
the rule should be:

<Rule xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17
xacml-core-v3-schema-wd-17.xsd"
RuleId="urn:oasis:names:tc:xacml:2.0:matching-purpose"
Effect="Deny">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
<Function
FunctionId="urn:oasis:names:tc:xacml:2.0:function:string-regexp-match"/>
<AttributeDesignator MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
AttributeId="urn:oasis:names:tc:xacml:2.0:resource:purpose"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
<AttributeDesignator MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
AttributeId="urn:oasis:names:tc:xacml:2.0:action:purpose"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>


Regards,
Steven








--
Regards,
Farrukh Najmi

Web: http://www.wellfleetsoftware.com




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]