[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Re: Policy equivalence [was: The Indeterminate flavorsquestion]
Hi, (Tried to post this earlier, but there was an outage in the OASIS email servers it seems.) Maybe, but it also goes against current concepts in XACML and is not that easy to define. - It puts restrictions on combining algorithms. For instance the permit-unless-deny and deny-unless-permit algorithms would be disallowed. - I haven't thought it through properly, but I suspect that of the four possible decisions, we can make only one decision "linear". So, if we for instance make Indeterminate linear, then NotApplicable cannot be so because at any given level the conflict between a notapplicable and indeterminate has to be resolved. If there is a target T1 which causes Indeterminate and a target T2 which causes NotApplicable, depending on which one we push down in the equivalent policy, assuming we push down only one of them, we could get different results since given any single definition of priority, only one of them can truly become linear. So linearity probably is not possible to achieve. (If I got this right...) - The equivalency conditions are not that simple since the order of expressions in the equivalent policies matter, so we would need to be very careful about this. For instance, a condition with an AND expression short circuits, so we must take care to join the pushed down conditional expressions properly in relation to everything else which exists or is pushed down. Can probably be done, but not very simple, which raises the following question: - What specifically is the proposal on the table and for what benefit? Is the proposal that we define some transformation in the spec? For what purpose? Is it that we require certain meta conditions on combining algorithms so some transformation supposedly holds? Which transformation is this and what are the conditions on the algorithms? Best regards, Erik On 2011-04-29 09:28, remon.sinnema@emc.com wrote: >> -----Original Message----- >> From: Tyson, Paul H [mailto:PTyson@bellhelicopter.textron.com] >> Sent: Monday, April 25, 2011 3:22 PM >> To: Erik Rissanen; xacml >> Subject: RE: [xacml] The Indeterminate flavors question >> >> In the longer term the TC should work out a comprehensive logical >> framework that explicitly either confirms or denies the "policy >> equivalence" (or "linearity" as Erik called it) between a policy with a >> non-empty target and the same policy with an empty target and the >> attribute tests distributed to the descendant conditions (with >> appropriate syntactic modifications). Hal has said the TC has avoided >> previous attempts to define "policy equivalence", but I assume that was >> in general, not for this specific issue. > I agree that policy equivalence/linearity makes a lot of sense from the perspective of being able to understand XACML policies. > It might also enable certain optimizations in implementations. > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]