[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] Discussion summary and revised post-condition proposal
I think the original question from Polar leads two arguments: "how to
compute obligation(s) in the composed policy?" and "how to determine the
permission in the composed policy?". For the first argument, I think that
responses from both Carlisle and Bill show the reasonable semantics. The
difference is related to the interpretation of <All-must-permit> predicate
and "Indeterminate". I think this is the issue of the second argument. I am
not sure how we should determine the permission that has Indeterminate even
in the case no obligations are used.
I am not sure whether this helps our discussion, SAML defines the semantics
of <Condition> element as follows:
-If any condition evaluates to Invalid, the assertion status is Invalid.
-If no condition evaluates to Invalid and one or more conditions evaluate
to Indeterminate, the assertion status is Indeterminate.
-If no conditions are supplied or all the specified conditions evaluate to
Valid, the assertion status is Valid.
Condition uses a set of values Valid, Invalid, and Indeterminate, and it
seems to give those values a priority like Invalid > Indeterminate > Valid.
If we translate Valid->Permit and Invalid->Deny, then the answer of Policy
C becomes equivalent to Carlisle's idea.
Michiharu
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
From: Carlisle Adams <carlisle.adams@entrust.com> on 2002/02/22 06:42
To: "'bill parducci'" <bill@parducci.net>
cc: XACML TC <xacml@lists.oasis-open.org>
Subject: RE: [xacml] Discussion summary and revised post-condition proposa
l
Hi Bill,
I suppose it could go either way, but my feeling was that if the PDP
couldn't get an answer regarding Policy A, then it couldn't give an answer
regarding Policy C. If more information was available, or if some server
somewhere wasn't down, or whatever, the PDP would be able to evaluate
Policy A and Policy B and return a Permit/Deny answer. As it is, however,
it has to return indeterminate because it just doesn't know.
I can see the argument saying that "All-must-permit" means "if you get
anything other than permit, you must deny". I could certainly live with
that interpretation if others prefer it. This comes back to defining the
3- or 4-valued logic for each of our combinators since, at least in our
current syntax, the combinator is likely to be <and> rather than
<All-must-permit>...
Carlisle.
----------
From: bill parducci[SMTP:bill@parducci.net]
Sent: Thursday, February 21, 2002 4:25 PM
To: XACML TC
Subject: Re: [xacml] Discussion summary and revised
post-condition proposa l
Carlisle Adams wrote:
> Hi,
>
> I've filled in the column for Policy C below.
[...]
> Policy A Policy B Policy C
> ------------------------------------
> Permit Permit Permit: P, R, and D
> Permit Deny Deny: S, E
> Permit Indeterminate Indeterminate: no obligations
> Deny Permit Deny: Q, E
> Deny Deny Deny: Q, S, E
> Deny Indeterminate Deny: Q, E
> Indeterminate Permit Indeterminate: no
obligations
> Indeterminate Deny Deny: S, E
> Indeterminate Indeterminate Indeterminate: no obligations
curious as to how you arrived at these:
> Policy A Policy B Policy C
> ------------------------------------
> Permit Indeterminate Indeterminate: no obligations
> Indeterminate Permit Indeterminate: no obligations
> Indeterminate Indeterminate Indeterminate: no obligations
given that policy C has this:
> <All-must-permit>
> Policy-A
> Policy-B
> </all-must-permit>
my read is that these would be resolved thus:
Policy A Policy B Policy C
------------------------------------
Permit Indeterminate Deny: E
Indeterminate Permit Deny: E
Indeterminate Indeterminate Deny: E
b
p.s. great example, polar!
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC