OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] bags and targets. Forwarded message from Seth Proctor.



On Thu, 17 Oct 2002, Seth Proctor wrote:

>
> > This sentence means exactly what it says. If the the selector or
> > designator evalutates to an empty bag, then there is no match, i.e. the
> > match "predicate" is False.
>
> Yes, I understand that. What I don't understand is how the bag could be empty
> and not have that be an Indeterminate case. This is the only question I was
> asking.

If I ask you whether or not you have any bills in your wallet that have a
picture of Ulysses S. Grant on them. What will you tell me?

-Polar

>
> If an AD or AS is asked to resolve a particular attribute, and it fails to
> do so, then this is an indeterminate state, and typically a Status message
> gets returned about some missing attributes. The spec is very clear that in
> a match operation, if the AD/AS fails to resolve a value and returns
> Indeterminate, then the match evaluates to Indtereminate immedeately.
>
> The sentence that I called out, however, suggests that an AD/AS can return
> an empty bag and not have that be a failure case. Thus, my question. How can
> the bag be empty and not represent a failure. the one case I suggested is that
> the Attribute in the Request had no AttributeValues associated with it. If
> this is the correct explination, then the text should be explicit and expain
> this. If this is not the case, then the text should explain what's going on.
> Either way, there needs to be clarification here, and probably in the section
> on AD/AS types as well.
>
> > The match predicate is akin to asking, "Do you have one or more of any
> > subject ids that match "john.*". If you have none, then False, if you have
> > at least one, then True.
> >
> > This is a composition of three functions:  an Attribute Designator i.e.
> > "Get me all subject ids", a match filter, i.e. "that match 'john.*', and a
> > length predicate "length > 0".
> >
> > Regardless of the match filter, if you have zero elements to start with,
> > you will end up with zero elements after you apply the match filter, and
> > therefore, vacuously, you don't have a match.
>
> This is all made clear by the spec. I wasn't asking for clarification on any
> of these points.
>
>
> seth
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC