OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Re: Combining algorithm combining orders

I actually believe that PEP bias is a bad idea in general.   PEP  
should be regarded as untrusted.

How would deny be propagated to a higher level if this is a Permit  
override?

I guess we should possibly add another version of that algorithm, but  
I do not think that the current one is erroneous.

Daniel.

On Oct 23, 2008, at 1:16 AM, Erik Rissanen wrote:

> Yes, your use case is a very valid use case, but it is handled  
> better by a PEP bias (which is part of the XACML specification).  
> Since there are potentially multiple levels of policy combining,  
> flipping an indeterminate to a deny at a lower level might lead to  
> propagation of the deny to the top level, while an indeterminate  
> could have been discarded by a definite result at a higher level.
>
> Regards,
> Erik
>
> Daniel Engovatov wrote:
>>
>> On Oct 23, 2008, at 1:03 AM, Erik Rissanen wrote:
>>
>>>
>>> However, if the permit-overrides algorithm gets to choose between  
>>> a deny and an indeterminate, it says deny, which is not correct.  
>>> The purpose of the permit overrides algorithm is to give priority  
>>> of permit over deny. In this case one of the policies could not  
>>> be evaluated correctly. It could potentially have been a permit,  
>>> in which case the algorithm should return permit.
>>
>> I am not sure it is a question of correctness.  Algorithm may be  
>> correct - but it may, or may not be suitable to a particular use  
>> case.   I think this use case is a valid one - give Permit if  
>> anybody explicitly said Permit, Deny in any other case, including  
>> the case when somebody did not have enough time or information to  
>> say Permit.   Seems like a completely legitimate use case.
>>
>> I have never liked the Permit override anyway...
>>
>> Daniel;
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]