OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] change request: add Datatype back to policy elements

[Forwarded for Seth, who still can't post to the list, although
he is subscribed. -Anne]

From: Seth Proctor <seth.proctor@sun.com>
Subject: followup to dataType comments
To: xacml@lists.oasis-open.org
Date: Wed, 02 Oct 2002 18:10:02 -0400

[I seem to have been added to the xacml list faster than expected, so no
 comments need be sent directly to me any more...]

Adding to my previous mail, the same arguments apply to putting the dataType
attribute back on at least AttributeSelector, and maybe AttributeDesignator.
I realize these were just recently removed, so my applogies for bringing this
up, but I think it's pretty important (and from my quick reading of the archive
I didn't see any comments along my train of thought, although please point me
in the right direction if I've missed something).

The AttributeSelector type lets the PDP look into the request, and pull out
some arbitrary sting data that has no type associated with it. Because of
this, once again the data is being defined by function inputs, and not what
the Request author intended. Also, as I discussed in my previous email, this
lets multiple AttributeSelectors pull out the same data but treat it as
different types based on the function being used (either in a Match or an
Apply), which seems like a Bad Thing. I would be much happier if a policy
writer could provide an XPath statement, but also say what kind of data
should be returned.

I'm less concerned about the AttributeDesignator having a dataType attribute,
since as long as the dataType attribute is required in the Request Attribute,
we'll always know what the intended data type is. That said, both for 
consistency in the language, and to make sure that the correct type is being
pulled out of the Request (ie, something with the correct id but wrong type
could be found in the Request, and we'd have no way of knowing), I would like
to see the dataType field in the AttributeDesignator as well. It makes the
implementation faster, cleaner, and gives it more chances to check that the
right thing is being done.

thanks

seth "I promise not to bring up too many issues" proctor
-- 
Internet Security Research Group
Sun Microsystems Labs

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC