OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Optimizing <Target> evaluation

All,

I have been considering how to optimize evaluation of the <Target>, and 
I think the standard could be improved for 3.0.

There are several levels in the target, and their behaviour has been 
inherited from the 2.0 specification. The levels of combining results in 
the target matching are <Target>, <AnyOf> and <AllOf>. The issue I am 
considering is the priority of an Indeterminate result in the 
combination at these levels.

At the <Target> level if at least one of the children is Indeterminate, 
then the whole target is Indeterminate, regardless of the other values.

At the <AnyOf> level if at least one of the children matches, then the 
whole <AnyOf> is a match, regardless there are any Indeterminate values 
in the other children.

At the <AllOf> level if at least one of the children is "false", then 
the whole <AllOf> is a no match, regardless there are any Indeterminate 
values in the other children.

At first, one can note that the treatment of Indeterminate is somewhat 
inconsistent. At the <Target> level Indeterminate has priority, while at 
the other levels it does not.

I would think that it makes more sense that Indeterminate does not have 
priority since if we know that a section of the target does not match, 
then we know for sure that the policy does not apply, so it would be 
safe to ignore the indeterminate from the other parts of the target. 
Conversely, if all parts of the target match, except that there is also 
an indeterminate, then it makes sense that the indeterminiate result is 
propagated upwards since we cannot know whether the policy applies or not.

There is also a performance optimization argument in favour of changing 
the <Target> behaviour. The current behaviour means that if the PDP 
finds a section in the target which does not match, it still has to 
evaluate the remaining sections to determine that there is no 
Indeterminate result. In most cases we would expect that Indeterminates 
are less common than non-matching targets, so we can expect better 
performance if the PDP would give priority to a non-matching target.

I propose therefore that to improve consistency and performance, we 
change the <Target> matching specification in 3.0 so that a non-matching 
child in a <Target> has priority over an Indeterminate child.

Best regards,
Erik

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]