OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: NotApplicable and combining algs



Sections 7.10 and 7.11 of draft 13 say that in all cases, if no 
elements provided to a combining algorithm apply then the combining 
algorithm always returns NotApplicable. Is that really what we want? 
Shouldn't I be free to write a combining algorithm, for example, that 
returns Deny if no elements apply? I can think of many cases where this 
would be very useful (at the top-level in a PDP and to replace 
fall-through Deny rules).

The reason I ask is twofold. First, I don't ever remember discussing 
this issue, so I'm not sure if someone explicitly wanted to see this in 
the spec or if it's just an oversight. Second, I think it breaks the 
relationship shown on page 19, since it implies that before a combining 
algorithm starts working with its elements, something above it will 
already have checked applicability of all elements. I think it's clear 
that we don't want that model. Basically, I think this is another case 
where we should say that the combining algorithm decides, and it just 
so happnes that all the standard algorithms return NotApplicable in 
this case.

Yes? No? What do people think? Again, maybe fodder for discussion 
tomorrow?


seth



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]