OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [xacml-comment] Comments and questions on Obligations (Appendix C.1,C.2, and C.3).


Hi,

Comments and questions on Obligations.

1.
At the end of C.1, C.2, and C.3, we have the following description just
after the explanation
about policy combining algorithms:
"Obligations of the individual policies shall be combined as described in
Section 3.3.2.3 "

However, Section 3.3.2.3 is about a policy rather than a set of policies.
So it should be Section 3.3.3.2 rather than 3.3.2.3.

---------------------------------------------------------------------

2.
It is clear to me which obligations should be returned when evaluating a
policy.
However, it's unclear to me when evaluating a set of policies (not a
policy).
Do you think that the description in Section 7.11 is clear enough to answer
the following questions?

2.1 Deny-overrides:
---------------
Consider a policy set using the deny-overrides policy comb alg.
Assume that the policy set has two obligation sets OP and OD for Permit and
Deny, respectively
Assume that the policy set has two policies P1 and P2 with different
obligation sets O1 and O2, respectively.
Assume that O1  consists of OP1 and OD1 for Permit and Deny.
Assume that O2  consists of OP2 and OD2 for Permit and Deny.

Q2.1.1.
Assume that the two policies P1 and P2 are evaluated to Permit.
Should we return both OP1 and OP2, or only one of them in addition to OP ?

Q2.1.2
Assume that the two policies P1 and P2 are evaluated to Deny.
Should we return both OD1 and OD2, or only one of them in addition to OD ?

2.2 Permit-overrides:
-----------------
I have the same two questions.

2.3 First-applicable:
----------------
Consider a policy set, which is the same as the above policy except that
it uses the first-applicable policy comb alg.

Q2.3.1.
Assume that P1 is the first applicable policy that is evaluated to Permit,
and that P2 is also evaluated to Permit.
Should we return both OP1 and OP2, or only OP1 in addition to OP?

Q2.3.2.
I have the same quetion in case of Deny.
Should we return both OD1 and OD2, or only OD1 in addition to OD?

2.4 Only-one-applicable:
-------------------
We can return the obligation set specified in the only applicable policy.
So I have no question in this algorithm

Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC