OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml-comment] Comments and questions on Obligations (AppendixC.1, C.2, and C.3).



I agree on the comments.
I think each section in Appendix C should describe more about which
obligations should be returned.

Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com


                                                                                                                                   
                      Michiharu                                                                                                    
                      Kudoh/Japan/IBM@I        To:       XACML COMMENT <xacml-comment@lists.oasis-open.org>, XACML TC              
                      BMJP                      <xacml@lists.oasis-open.org>                                                       
                                               cc:                                                                                 
                      2003/01/23 12:52         Subject:  [xacml-comment] Comments and questions on Obligations (Appendix C.1, C.2, 
                                                and C.3).                                                                          
                                                                                                                                   
                                                                                                                                   
                                                                                                                                   



The following are my comments.

1. Correct. Line 4657, 4768, 4845 (in PDF version)
"Obligations of the individual policies shall be combined as described in
Section 3.3.2.3."
 should be
"Obligations of the individual policies shall be combined as described in
Section 3.3.3.2."

2.
>Q2.1.1.
>Assume that the two policies P1 and P2 are evaluated to Permit.
>Should we return both OP1 and OP2, or only one of them in addition to OP ?

We assume that the final decision returned by the policy set is "Permit"
since the enclosing policies return only "Permit". Then the algorithm
should return OP1, OP2, and OP. The reason is that the line 3003 and 3004
says that

"A policy or policy set may contain one or more obligations.  When such a
policy or policy set is
EVALUATED, an obligation SHALL be passed up to the next level of evaluation
(the enclosing or
referencing policy set or authorization decision) only if the effect of the
policy or policy set
being evaluated matches the value of the xacml:FulfillOn attribute of the
obligation."

Since both P1 and P2 are evaluated, OP1 and OP2 must be passed up to the
next level of evaluation (policy set) and the final decision must include
OP1, OP2, and OP.


>Q2.1.2
>Assume that the two policies P1 and P2 are evaluated to Deny.
>Should we return both OD1 and OD2, or only one of them in addition to OD ?

We assume that the final decision returned by the policy set is "Deny".
Then the algorithm should return OD1 and OD. OD2 is not returned because P2
is not evaluated in this case. When the algorithm encounters "deny" effect
that holds, it immediately returns "deny" according to the algorithm line
4578-4580.

>2.2 Permit-overrides:
>-----------------
>I have the same two questions.

When P1 and P2 are evaluated to Permit, then the algorithm should return
OP1 and OP.
When P1 and P2 are evaluated to Deny, then the algorithm should return OD1,
OD2, and OD

>Q2.3.1.
>Assume that P1 is the first applicable policy that is evaluated to Permit,
>and that P2 is also evaluated to Permit.
>Should we return both OP1 and OP2, or only OP1 in addition to OP?

The algorithm should return OP1 and OP. P2 is no longer evaluated.

>Q2.3.2.
>I have the same question in case of Deny.
>Should we return both OD1 and OD2, or only OD1 in addition to OD?

The algorithm should return OD1 and OD. P2 is no longer evaluated.

Michiharu
IBM Tokyo Research Laboratory



----- Forwarded by Michiharu Kudoh/Japan/IBM on 2003/01/23 12:52 -----
|---------+---------------------------->
|         |           Satoshi          |
|         |           Hada/Japan/IBM@IB|
|         |           MJP              |
|         |                            |
|         |           2003/01/20 11:23 |
|         |                            |
|---------+---------------------------->
  >
--------------------------------------------------------------------------------------------------------------|
  |
|
  |       To:       XACML COMMENT <xacml-comment@lists.oasis-open.org>
|
  |       cc:
|
  |       Subject:  [xacml-comment] Comments and questions on Obligations
(Appendix C.1, C.2, and C.3).          |
  |
|
  |
|
  >
--------------------------------------------------------------------------------------------------------------|




Hi,

Comments and questions on Obligations.

1.
At the end of C.1, C.2, and C.3, we have the following description just
after the explanation
about policy combining algorithms:
"Obligations of the individual policies shall be combined as described in
Section 3.3.2.3 "

However, Section 3.3.2.3 is about a policy rather than a set of policies.
So it should be Section 3.3.3.2 rather than 3.3.2.3.

---------------------------------------------------------------------

2.
It is clear to me which obligations should be returned when evaluating a
policy.
However, it's unclear to me when evaluating a set of policies (not a
policy).
Do you think that the description in Section 7.11 is clear enough to answer
the following questions?

2.1 Deny-overrides:
---------------
Consider a policy set using the deny-overrides policy comb alg.
Assume that the policy set has two obligation sets OP and OD for Permit and
Deny, respectively
Assume that the policy set has two policies P1 and P2 with different
obligation sets O1 and O2, respectively.
Assume that O1  consists of OP1 and OD1 for Permit and Deny.
Assume that O2  consists of OP2 and OD2 for Permit and Deny.

Q2.1.1.
Assume that the two policies P1 and P2 are evaluated to Permit.
Should we return both OP1 and OP2, or only one of them in addition to OP ?

Q2.1.2
Assume that the two policies P1 and P2 are evaluated to Deny.
Should we return both OD1 and OD2, or only one of them in addition to OD ?

2.2 Permit-overrides:
-----------------
I have the same two questions.

2.3 First-applicable:
----------------
Consider a policy set, which is the same as the above policy except that
it uses the first-applicable policy comb alg.

Q2.3.1.
Assume that P1 is the first applicable policy that is evaluated to Permit,
and that P2 is also evaluated to Permit.
Should we return both OP1 and OP2, or only OP1 in addition to OP?

Q2.3.2.
I have the same quetion in case of Deny.
Should we return both OD1 and OD2, or only OD1 in addition to OD?

2.4 Only-one-applicable:
-------------------
We can return the obligation set specified in the only applicable policy.
So I have no question in this algorithm

Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com



----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>






----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>







[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC