[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Issues for 7/15/02 schema subcommittee meeting
Colleagues, here is my list of issues for this morning's schema
subcommittee meeting. -Anne
2. [Anne] Handling of multiple decisions
http://lists.oasis-open.org/archives/xacml/200207/msg00044.html
[Michiharu response]
http://lists.oasis-open.org/archives/xacml/200207/msg00049.html
Treat like separate evaluation for each element in resource
sub-tree? If treat together, how are effects combined?
Decision: TBD.
3. [Anne] Optional <Target> in Rule (since often same as Policy)
http://lists.oasis-open.org/archives/xacml/200207/msg00011.html
Options:
a. Optional <Target> in Rule (already optional in 15g):
semantics ::= "match"
b. Define <Target> to be a choice
1. urn:oasis:...:anyTarget, or
2. <Subject>...</Subject>,<Resource>...</Resource>,...
and use 1. for this case.
c. Use <Subject>urn:oasis:...:any</Subject>,
<Resource>urn:oasis:...:any</Resource> for this case.
Decision: Decide on Monday
15. [Daniel] mapping "numeric"
http://lists.oasis-open.org/archives/xacml/200207/msg00033.html
In general, I am rather concerned that no clear type
compatibility/conversion rules are defined. It is not just
hard to write an implementation, even with an unlimited
supply of summer interns avaialable, it is unsafe -
different implementation are bound to interpret it just
different enough to cause a lot of problems.
Using stated promotion rules to determine the return type
of a "numerical" operation breaks the isea of strong typing
of the return type of the function. Not good for policy
verification..
Decision: probably just an issue for floating point values,
which are not commonly used in policies, so not a big issue.
Daniel and others concerns are welcome to propose a method
for mapping these if they still see issues.
16. [Anne] Target matching:
http://lists.oasis-open.org/archives/xacml/200207/msg00018.html
[Michiharu response]
http://lists.oasis-open.org/archives/xacml/200207/msg00032.html
[Michiharu new response]
http://lists.oasis-open.org/archives/xacml/200207/msg00050.html
a. Just use XPATH?
b. Use XPATH for AttributeDesignator plus a specified value
to be matched, plus an implied xacml:equals operator?
c. As in b, but specify the operator?
Sub-issues:
a. XPATH can return 0 nodes, 1 node, or multiple nodes.
(specify ALL or ANY match; XPath 2.0 does not support)
Example: point to "role" AttributeName. Want to match "at
least one".
b. A node can be structured in depth (XPath 2.0 supports
"sequence-deep-equal"); similar to our [@Format="x" and
Value="y"]
Decision: XPATH, value plus use correct "equals" for the
types specified [as in v15]. Must use "standard" "equals"
function for the data type, but we will not spell out what
that function is except for xml base types. For example,
for comparing an X500 Distinguished Name, the
implementation would be expected to support the standard
X500 DN MatchingRule.
Decision: Where multiple Subjects or Resources elements occur
in a Target, then ALL the specified matches must be
satisfied.
Decision: Where the AttributeDesignator in a single Subjects
or Resources element returns multiple nodes, then the match
is satisfied if at least one of the returned nodes matches
the supplied comparison value.
Decide Monday on whether sequence-deep-equal supported.
21. [Anne] {PolicySet|Policy|Rule}Designator issue
http://lists.oasis-open.org/archives/xacml/200207/msg00045.html
Decision: TBD
22. [Daniel] Why Function has 1...inf of arguments? Couldn't it
be without arguments?
http://lists.oasis-open.org/archives/xacml/200207/msg00047.html
Decision: TBD
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC