[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-comment] Re: Broken Rule in Privacy Policy Profile
Doh! I get it now. Sorry for my misunderstanding. On 02/23/2012 06:31 PM, Steven Legg wrote:
Hi Farrukh, I was just pointing out that the privacy profile uses: urn:oasis:names:tc:xacml:2.0:function:string-regexp-match as a FunctionId, but this is not a URI defined in the core specification. I just cut and pasted that URI into my message without checking its validity. The core specification does define the remarkably similar: urn:oasis:names:tc:xacml:1.0:function:string-regexp-match which is presumably the function that was intended to be used by the privacy profile. Regards, Steven On 24/02/2012 12:39 AM, Farrukh Najmi wrote:Unless the function definition has changed in some way its URI should not be changed between versions. Doing so would break existing implementations. The URI just needs to be unique for each specific version of afunction.It seems sensible to use a convention to use the release number of the release where the new version was introduced and not changing it between releases until another new version is introduced.Sorry if I misunderstood your comment. On 02/22/2012 09:53 PM, Steven Legg wrote:The URI for the string-regexp-match function is wrong also (in the profile and in my suggested corrections). The version should be 1.0 rather than 2.0.Regards, Steven On 22/02/2012 9:58 AM, Steven Legg wrote:The rule in section 4.1 of Committee Specification 1 of the XACML v3.0 Privacy Policy Profile Version 1.0 is broken. The arguments to thestring-regexp-match function are both bags (<AttributeDesignator>) when theyshould be primitive values.Noting that it is reasonable for the purpose attributes to be multi-valued,a correct form for the condition would be: <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <FunctionFunctionId="urn:oasis:names:tc:xacml:2.0:function:string-regexp-match"/><AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:2.0:resource:purpose" DataType="http://www.w3.org/2001/XMLSchema#string"/> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:2.0:action:purpose" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> </Condition>However, even when corrected, the rule is not as useful as it could be. The rule is described as stipulating "that access SHALL be denied unless the purpose for which access is requested matches ... the purpose for which the data resource was collected" but the rule actually permits access if the purposes match. The only way access is denied when the purposes don't match is if the specified rule is the *only* permit rule, which is a significantlimitation.A better formulation would be to change the effect to Deny and negate the condition so that when the purposes don't match, the overall effect is Deny regardless of whether any other rules permit or deny access. That is, I thinkthe rule should be: <Rule xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 xacml-core-v3-schema-wd-17.xsd" RuleId="urn:oasis:names:tc:xacml:2.0:matching-purpose" Effect="Deny"> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <FunctionFunctionId="urn:oasis:names:tc:xacml:2.0:function:string-regexp-match"/><AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:2.0:resource:purpose" DataType="http://www.w3.org/2001/XMLSchema#string"/> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:2.0:action:purpose" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> </Apply> </Condition> </Rule> Regards, Steven
-- Regards, Farrukh Najmi Web: http://www.wellfleetsoftware.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]