Re: [xacml] bags and targets. Forwarded message from Seth Proctor.

[Polar Humenn <polar@syr.edu>]

On Fri, 18 Oct 2002, Anne Anderson wrote:

> On 17 October, Polar Humenn writes: Re: [xacml] bags and targets. Forwarded message from Seth Proctor.
>  > This sentence means exactly what it says. If the the selector or
>  > designator evalutates to an empty bag, then there is no match, i.e. the
>  > match "predicate" is False.
>
> Isn't this in direct contradiction to your proposed text for
> "7.4.2.2 Missing Attributes":
>
>     7.4.2.2 Missing Attributes
>
>     The PDP SHALL consider an attribute as missing if it
>     evaluates an expression that requires at least one value to
>     be present from an attribute designator or selector.

No,

This says if the PDP "evaluates an expression that requires at least one
value to be present"

Such an example would be

<Apply FunctionId="string-one-and-only">
	<AttributeDesignator
             AttributeId="urn:...:name"
             DataType="xs:string"/>
</Apply>


>     In this
>     case, the expression evaluates to "indeterminate". The PDP
>     may carry the missing attribute upward in its indeterminate
>     value in accordance with the XACML evaluation strategy of the
>     encompassing expressions, rules, policies, and policy
>     sets. If the PDP evaluates its policy or policy set to
>     Indeterminate with a missing attribute, the PDP MAY list the
>     AttributeId and DataType of that attribute in the result as
>     described in Section 7.5 "Authorization decision".  However,
>     the PDP MAY choose not to issue such information due to
>     security concerns.
>
> Anne
> --
> Anne H. Anderson             Email: Anne.Anderson@Sun.COM
> Sun Microsystems Laboratories
> 1 Network Drive,UBUR02-311     Tel: 781/442-0928
> Burlington, MA 01803-0902 USA  Fax: 781/442-1692
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>