[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Inputs to rfc822Name-match
perhaps we could create a 'mask' that would the name to conform, but provide for a range of values to match? (ala IP masking) in other words the resource could be 'foo@bar.com' with a mask of '@bar.com' and any request of type rfc822 containing the domain '@bar.com' would result in a match. it is kind of a long way around to do the same thing i think tim is asking for but it leaves the rfc822 names valid and extends by allowing the [soon to be omnipotent ;o] context handler to match a range via an *extension* of the rfc822 names. i dunno, just thinking out of the box. (i definitely think there is a valid use case for this). b Tim Moses wrote: > Seth - I am picturing a situation like this ... > > A policy is written to apply to the resource "email addresses". In this > case, the target would contain a resource match with the attribute > designator "resource-id", of type "string" and value "*". > > A context request is received containing the resource attribute > "resource-id", of type "RFC 822 name" and the value "anderson@sun.com". > > How can the PDP tell that the policy is applicable? The resource-ids match, > the data types don't match and "*" isn't obviously an email address. > > So, always making the general form the same type as the specific form would > assist matching. This happens naturally for X.500 names and (I hope) the > other name forms. > > All the best. Tim. > > -----Original Message----- > From: Seth.Proctor@Sun.COM [mailto:Seth.Proctor@Sun.COM] > Sent: Thursday, May 13, 2004 1:11 AM > To: Tim Moses > Cc: 'XACML' > Subject: Re: [xacml] Inputs to rfc822Name-match > > > > Tim Moses wrote: > >>Anne - I know you are right. But, WE define >>urn:oasis:names:tc:xacml:2.0:data-type:rfc822Name. So, if we want "*" >>to be a valid instance of this type, then it can be. Can't it? > > > It could be, but why would we want this? I can't think of any reason why > we'd want someone able to specify * or .com or something similar as a > valid email address (since that breaks with rfc822, which is what we > reference for the datatype). Technically, we specify the datatype's > identifier, but not the format of the datatype, so we don't actually > have the freedom to re-define the type unless we define it from scratch. > > Tim, do you have a specific use case that requires this? I'm trying > hard, but I can't come up with a scenario where you need to pass two > rfc822Names to the match function and can't instead provide a string as > one parameter. Unless there's a real problem this solves, I wouldn't > want us to confuse the rfc822Name datatype. > > > seth > > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]