OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] bags and targets. Forwarded message from Seth Proctor .

>We really need to pin this down.  Daniel, I think, says that only
>some sort of operational error in talking to the PIP or
>repository would result in "Indeterminate".  But we can't
>guarantee that an error would be detected or that the PDP wasn't
>querying the wrong PIP or repository.  A classic security breach
>is to make something silently unavailable (unplug a relay,
>re-route a message, etc.), and use that to access systems that
>assume something that is not available is false.


Not only an operational error - value out of the permissible value space for
the particular data type, or inability of an underlying computational
procedure to produce a result when the value is returned by an another
function application also results in Indeterminate.

What you are suggesting is that PDP should have some sort of an internal
knowledge of what information must be available in the context and signal
any discrepancy via Indeterminate result.  I do not think it is a workable
operational requirement, especially given that we do not specify much about
the internals of our virtual context (and I do not think we should).   Such
intrusion detection is probably the job of the PIP service, and yes - it can
pass Indeterminate value to the PDP if, for example, some SHA signature is
off etc.   But that is not the job of the PDP, and an empty bag is a
critically useful abstraction to use.

If you want to write your policy in the way, that prohibits access if
something is missing - you can.  Polar suggested several different
approaches to this - using present, *-one-and-only will achieve the same
effect.

I do not remember whether we agreed or even discussed my proposal to treat
designator supplied as an argument to a function requiring a single value
attribute as an implicitly wrapped in *-one-and-only type transformation
(but at least several examples used around do treat it that way).
Explicitly stating such an assumption will probably answer your concern - it
does produce Indeterminate on missing attribute, when applied to a function
requiring a singleton..

Daniel.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC