OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml] New issue#1 from "Boolean Policy resolution"


On Mon, 11 Feb 2002, bill parducci wrote:

> > In the proposed logic,
> >
> > t AND t = t
> > t AND n/a = t
> >
> > However, that does NOT mean that for
> >
> > t AND x = t
> >
> > x must be t (in this logic). For an analogous example in classical
> > logic,
> > Take implication =>
> >
> > t => t = t
> > t => f = f
> > f => t = t
> > f => f = t
> >
> > x => t = t does not force x to be t
> > f => x = t does not force x to be t.
> >
> > n/a is n/a. It is a separate entity.
>
> ok, but let's step away from the academic perspective for a sec and look at the
> implementational issues. whether or not n/a is symbolically unique is not
> relevant to the process itself *by definition*, right?
>
> t + n/a
>
> is reduced to
>
> t
>
> which yields GRANT
>
> therefore, n/a evaluates to TRUE when it comes to granting access to a resource
> for all intents and purposes. i agree that this is not true WRT to pure logical
> expressionism, but the fact remains that access is granted without all
> predicates explicitly evaluating to true and that is not good form in my book.
>

Well, it doesn't matter what you call it. However, if you are going to go
with standard logic practices, then OR would have to change accordingly as
well, esspecially if you have NOT, and you want to preserve things like
Demorgan's Law. All of which exists for a reason, perhaps forgotten by
many long ago.

If there is a problem with semantics, we certainly can change the names.
However, we introduced N/A in the logic for a specific purpose, and hence
felt it necessary to go with a three valued (4 with Error) logic for
policy composition purposes. The semantics we want for a policy that
doesn't apply means that it doesn't enter into the equation. It doesn't
evaluate to true. It is a "I Don't Care".

The <N-OF n=3>pred1 pred2 pred3</N-OF> construct gets you what you want by
requiring all predicates to return TRUE.  We could certainly add an
equivalent operator of <ALL-OF> for the proper semantic meaning.
But then again, I don't see a lot of Humans writing security policy in
XML, so the sugar should be unnecessary. If I'm wrong, I'll go back to
playing with my Turing machine. :^)

Cheers,
-Polar






[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC