OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] Section 7.3 re-wording


Anne,

I think we should just stop at your re-wording at

> The target value SHALL be "Match" if the subject, resource and
> action elements specified in the target all match values in the
> request context.  The target value SHALL be "No-match" if the
> subject, resource, and action elements specified in the target do
> not match values in the request context.

Here, as you did catch the mix-up between the target and the request
context in the spec.

However, the evaluation to Indeterminate is based upon the evaluation of
the contained Match Elements of which they all contain their own
Indeterminate semantics. So, I think let's leave it there.

I think we are describing the evaluation of the Target expression with
respect to its elements, not about what its elements do. That
functionality is defined elsewhere, so we don't need to redefine it here.

How about:

The target value SHALL be "Match" if the subject, resource and action
elements specified in the target result in "true". The target value SHALL
be "No-match" if one of the subject, resource, or action elements
specified in the target results in "false". The target value ShALL be
"Indeterminate" if any of the subject, resource, or action elements
results in "Indeterminate."

Simiarly I think the sentence at the end of Section 7.4 Conditons,

If any attribute value referenced in the condition cannot be obtained,
then the condition SHALL evaluate to "Indeterminate".

should be removed, as this semantics and how it is handled is defined for
every element that retrieves attribute values.

Cheers,

-Polar


> The value of a Match
> element where a referenced attribute value can not be obtained
> depends on the value of the "MustBePresent" attribute of the
> AttributeDesignator.  If the "MustBePresent" attribute is "true",
> then the result of the Match element is "Indeterminate" when the
> AttributeDesignator value can not be obtained.  If the
> "MustBePresent" attribute is "false" or missing, then the result
> of the Match element is "False" when the AttributeDesignator
> value can not be obtained.

On Mon, 25 Nov 2002, Anne Anderson wrote:

> Colleagues,
>
> The XACML Comments Subcommittee meeting on 11/25/02 proposed a
> resolution to Comment#43 via a re-wording of Section 7.3.  This
> re-wording is contained in the ACTIONS: section of the comment
> below.  We felt the re-wording needed to be posted to this list
> and looked at carefully before resolving the comment, however.
> Please read this over and post your opinion.
>
> Anne Anderson
> =========================================================================
> 0043. http://lists.oasis-open.org/archives/xacml-comment/200211/msg00080.html
> Subject: A comment on Section 7.3
> From: Satoshi Hada <SATOSHIH@jp.ibm.com>
> Date: Fri, 22 Nov 2002 15:47:49 +0900
>
> Section 7.3 says that
> The target value SHALL be "Match" if the subjects, resource and action
> specified in the request
> context are all present in (i.e., within the scope of) the target.
>
> This sentence is unclear to me because the meaning of "present" is unclear
> to me.
> Why doesn't Section 7.3 mention MatchId?
> I think Section 7.3 should reference A.12, where I can find the detailed
> semantics of MatchId.
>
> It seems to me that the term "present" is used in three places (ignoring
> the "present" function),
> 1) Section 3.3.1.1 Rule target
> The meaning of "present" used here is also unclear to me, but I can accept
> this situation
> because Section 3 is non-normative.
>
> 2)Section 5.27, 5.28, 5.29 (Resource, Action, Environment Attr Designator)
> There is clear definitions of "present" from the attribute designator
> perspective.
> (I think these definitions have nothing to do with MatchId attributes used
> in <Target>)
>
> 3)Section 7.3
> Is the term "present" used in Section 7.3 the same as the ones defined in
> Section 5.27, 5.28, 5.29???
>
> CATEGORY: Unclear.
> STATUS: Discussed 11/25/02.  Post proposed change below to the
> XACML list for further discussion.
> RESPONSE:
> ACTIONS: Change 7.3 Target Evaluation to say
>
> The target value SHALL be "Match" if the subject, resource and
> action elements specified in the target all match values in the
> request context.  The target value SHALL be "No-match" if the
> subject, resource, and action elements specified in the target do
> not match values in the request context.  The value of a Match
> element where a referenced attribute value can not be obtained
> depends on the value of the "MustBePresent" attribute of the
> AttributeDesignator.  If the "MustBePresent" attribute is "true",
> then the result of the Match element is "Indeterminate" when the
> AttributeDesignator value can not be obtained.  If the
> "MustBePresent" attribute is "false" or missing, then the result
> of the Match element is "False" when the AttributeDesignator
> value can not be obtained.
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC