xacml-comment message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [xacml-comment] Two comments on XACML Implementers Guide
- From: "Satoshi Hada" <SATOSHIH@jp.ibm.com>
- To: Polar Humenn <polar@syr.edu>
- Date: Tue, 22 Apr 2003 10:43:08 +0900
>> > What does "a singleton bag"
mean?
>> > Does it mean a bag that contains a single attribute value?
>>
>> Yes.
Because the term "singleton bag" is not
used at all
in the XACML specification document,
I think the meaning should be explicitly defined
if the term is used in the XACML Implementers Guide.
>> I don't understand your point. The "applicability"
test is based solely on
>> the evaluation of the target, whether it is only-one-applicable,
or
>> first-applicable.
In my understanding, the applicability
test for "only-one-applicable"is different from
the one for "first-applicable".
Appendix C.4 says that:
In the entire set of policies in the
policy set, if no policy is considered applicable by virtue of their
targets, then the result of the policy
combination algorithm SHALL be "NotApplicable". If more than
one policy is considered applicable
by virtue of their targets, then the result of the policy
combination algorithm SHALL be "Indeterminate".
So I think the applicability test for
"only-one-applicable" is based solely on the evaluation of the
target,
and it seems to me that this is what
Section 6 tries to note in the XACML Implementers Guide.
On the other hand, the applicability
test for "first-applicable" is NOT based solely on
the target evaluation. For example,
in case of rule-combining,
it is based on both the target and condition.
So I don't think Section 6 in the XACML
Implementers Guide is not a good note on
"first-applicable".
Appendix C.3 says that:
For a particular rule, if the target
matches and the condition evaluates to "True", then the
evaluation of the policy SHALL halt
and the corresponding effect of the rule SHALL be the
result of the evaluation of the policy
(i.e. "Permit" or "Deny").
For a particular policy, if the target
evaluates to "True" and the policy evaluates to
a determinate value of "Permit"
or "Deny", then the evaluation SHALL halt and
the policy set SHALL evaluate to the
effect value of that policy.
Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com
| Polar Humenn <polar@syr.edu>
2003/04/18 22:29
|
To:
Satoshi Hada/Japan/IBM@IBMJP
cc:
xacml-comment@lists.oasis-open.org
Subject:
Re: [xacml-comment] Two comments on
XACML Implementers Guide
|
On Fri, 18 Apr 2003, Satoshi Hada wrote:
> Two comments on XACML Implementers Guide:
> http://www.oasis-open.org/committees/xacml/repository/xacml-implement-guide-1.1.doc
>
> >> Section4 Bags
> >> A singleton bag is NOT the same
> >> as an instance of the datatype contained in the bag.
>
> What does "a singleton bag" mean?
> Does it mean a bag that contains a single attribute value?
Yes.
> >> Section6 Combining algorithm.
> >> First-Applicable: The "applicability" test is based
solely on
> >> evaluation of the Target.
>
> It seems to me that this is a description about
> Only-one-applicable (Appendix C.4)
> rather than First-applicable (Appendix C.3).
I don't understand your point. The "applicability" test is based
solely on
the evaluation of the target, whether it is only-one-applicable, or
first-applicable. Are you saying that the descriptions in Section six are
merely misplaced?
Cheers,
-Polar
> Satoshi Hada
> IBM Tokyo Research Laboratory
> mailto:satoshih@jp.ibm.com
---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-comment-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-comment-help@lists.oasis-open.org
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]