[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Draft proposal for new work item: properties for newcombining algorithm
I think that Anne raises some excellent points. These are some of the same concerns that I have, and I think that her proposal makes a lot of sense: > Define ordered versions of permit-overrides and deny-overrides > for XACML 1.1. In addition to helping with this priority question, there's another issue that I think this helps resolve. It's somewhat unclear why or how unordered combining algorithms are useful. Yes, I understand the idea that a PDP may be able to re-order evaluation to make things more effecient, but the more time I spend thinking about this from the implementation point of view, the more convinced I am that this is unlikely. It's much more likely, in my mind, that the policy writer will have some idea of how a policy should be ordered, and so there should be combining algs to support that. It's just too hard to think about a PDP becoming an optimizing compiler for any given input and still being effecient. Because the current permit/deny overrides algs are unordered I think they should remain that way, and if someone can come up with ways to use this as an optimization, I'll gladly implement it. I think that having determinisitic algs, however, helps with priority, helps with obligations, and will help policy writers think about the policies they're forming. seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]