xacml message

Subject: Re: [xacml] Multiple obligations

From: Bill Parducci <bill@parducci.net>
To: XACML TC <xacml@lists.oasis-open.org>
Date: Fri, 10 Jun 2011 06:28:30 -0700

On Jun 10, 2011, at 5:47 AM, <remon.sinnema@emc.com> wrote:

>> Things get more complicated if the combining algorithms do more than
>> simple conflict resolution between policies, like for instance majority
>> voting for the decision, in which case there would be more than one
>> rule
>> which "caused" the decision.
> 
> I hadn't considered that possibility. I agree that that complicates things.

Also consider heterogenous Obligation definitions.

PDP/PIP A 
Obligation = encrypt: 3DES

PDP/PIP B
Obligation = encrypt: AES-128

Both systems support an Obligation called "encrypt", but it means different things. This too is something that we attempted to address with ObligationFamilies (and why I suggest that if we are to "fix" the problem there needs to be a mechanism for PDP metadata to reference these constructs).

b

References:
- Minutes for 2 June 2011 TC Meeting
  - From: rich levinson <rich.levinson@oracle.com>
- [xacml] Multiple obligations
  - From: <remon.sinnema@emc.com>
- Re: [xacml] Multiple obligations
  - From: rich levinson <rich.levinson@oracle.com>
- Re: [xacml] Multiple obligations
  - From: Erik Rissanen <erik@axiomatics.com>
- RE: [xacml] Multiple obligations
  - From: "Tyson, Paul H" <PTyson@bellhelicopter.textron.com>
- RE: [xacml] Multiple obligations
  - From: <remon.sinnema@emc.com>
- Re: [xacml] Multiple obligations
  - From: Erik Rissanen <erik@axiomatics.com>
- RE: [xacml] Multiple obligations
  - From: <remon.sinnema@emc.com>
- Re: [xacml] Multiple obligations
  - From: Erik Rissanen <erik@axiomatics.com>
- RE: [xacml] Multiple obligations
  - From: <remon.sinnema@emc.com>