OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: XACML 3.0 core wd 20 uploaded

Hi all,

I have updated the core working draft. I fixed the typos that were 
discussed on the list. I also tried to reorganize the extended 
Indeterminate stuff to make it better as has been discussed on the list. 
While doing that, I made quite a lot of changes, some of which I would 
like to highlight in particular:

- In section 7, Rule/Policy/PolicySet evaluation, there were two 
normative descriptions in each case. First, there was a table, and then 
there were also English language descriptions. As the tables are growing 
with more cases now, the English language text becomes more and more 
complex, making it likely to contain mistakes and hard to understand. 
And we should not have two normative descriptions anyway. So I removed 
the English language texts rather than changing them even more. Let me 
know if you don't agree with this change.

- Also in section 7, Policy/Set evaluation, it said that if the target 
matches and "All rule values are NotApplicable", then the result is 
NotApplicable. This is in conflict with the deny-unless-permit and 
permit-unless-deny algorithms, which would not have any effect in this 
case. It seems more consistent to let the combining algorithm always 
decide this, so I changed the table.

- I added an explanation about what the input to each combining 
algorithm represents. I also said that they may work in any order, since 
this is what has been intended in the past, but the pseudo code has a 
for loop which works in order.

I noticed that section A.3 is in conflict with the definitions of 
boolean AND and OR. It said that "If an argument of one of these 
functions were to evaluate to Indeterminate, then the function SHALL be 
set to"Indeterminate". I changed it to "Unless otherwise specified, if 
an argument of one of these functions were to evaluate to Indeterminate, 
then the function SHALL be set to Indeterminate".

I made it explicit that an implementation may work differently 
internally than the definitions presented.

Best regards,
Erik

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]