[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml-comment] Comments and questions on Obligations (Appendix C.1,C.2, and C.3).
Hi, Comments and questions on Obligations. 1. At the end of C.1, C.2, and C.3, we have the following description just after the explanation about policy combining algorithms: "Obligations of the individual policies shall be combined as described in Section 3.3.2.3 " However, Section 3.3.2.3 is about a policy rather than a set of policies. So it should be Section 3.3.3.2 rather than 3.3.2.3. --------------------------------------------------------------------- 2. It is clear to me which obligations should be returned when evaluating a policy. However, it's unclear to me when evaluating a set of policies (not a policy). Do you think that the description in Section 7.11 is clear enough to answer the following questions? 2.1 Deny-overrides: --------------- Consider a policy set using the deny-overrides policy comb alg. Assume that the policy set has two obligation sets OP and OD for Permit and Deny, respectively Assume that the policy set has two policies P1 and P2 with different obligation sets O1 and O2, respectively. Assume that O1 consists of OP1 and OD1 for Permit and Deny. Assume that O2 consists of OP2 and OD2 for Permit and Deny. Q2.1.1. Assume that the two policies P1 and P2 are evaluated to Permit. Should we return both OP1 and OP2, or only one of them in addition to OP ? Q2.1.2 Assume that the two policies P1 and P2 are evaluated to Deny. Should we return both OD1 and OD2, or only one of them in addition to OD ? 2.2 Permit-overrides: ----------------- I have the same two questions. 2.3 First-applicable: ---------------- Consider a policy set, which is the same as the above policy except that it uses the first-applicable policy comb alg. Q2.3.1. Assume that P1 is the first applicable policy that is evaluated to Permit, and that P2 is also evaluated to Permit. Should we return both OP1 and OP2, or only OP1 in addition to OP? Q2.3.2. I have the same quetion in case of Deny. Should we return both OD1 and OD2, or only OD1 in addition to OD? 2.4 Only-one-applicable: ------------------- We can return the obligation set specified in the only applicable policy. So I have no question in this algorithm Satoshi Hada IBM Tokyo Research Laboratory mailto:satoshih@jp.ibm.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC