Re: [xacml] CR: Policy Indexing

[Polar Humenn <polar@syr.edu>]

On Fri, 11 Oct 2002, Hal Lockhart wrote:

> Section 2.8 describes two policy indexing strategies. This seems like a
> reasonable discussion to motivate the use of target, but I have a couple of
> concerns.
>
> 1. My most important concern is that it states that "only one policy
> statement applies". This is contrary to my understanding (or what are
> combining algorithms for?) and it appears to contradict section 2.2
> specifically.

I agree. I drafted a One-applicable-policy combining algorithm to handle
this case. Inconjunction, in Section 7.1, it states that a PDP shall
represent One Policy or Policy Set.

That should take care of it.

However, the next sentence in 7.1. may be worrysome, which says "Should
the PDP be dynamic in nature in retrivin policies based on the request,
the PDP ShALL act as if it represents a single policy set with the "Only
One APplicable Policy" policy combining algorithm."


So, what I think this is saying is that if you do not explicity configure
your PDP with a single Policy or Policy Set, it specifies a default
behavior of finding the "only" policy that should apply.

Hal, do you think this jives?

I think we should really get rid of the text that stipulates that only one
policy applies in Section 2.8, and leave it to the 7.1 section.

Cheers,
-Polar


>
> 2. I really don't see that strong a distinction between the two cases and I
> suspect that they are not the only possibilities either. It seems to me that
> the general case is basically that you have a bunch of policies stored
> someplace and you need to find the ones (hopefully using some efficient
> technique) who's Targets match the corresponding fields in the Request
> Context. Period.
>
> Amy I missing some subtleties here? If there is general agreement, I would
> be willing to draft some text, but I don't want to do so until there is
> consensus.
>
> Hal
>