Re: [xacml-comment] Two comments on XACML Implementers Guide

[Polar Humenn <polar@syr.edu>]

On Tue, 22 Apr 2003, Satoshi Hada wrote:

> >> > What does "a singleton bag" mean?
> >> > Does it mean a bag that contains a single attribute value?
> >> 
> >> Yes. 
> 
> Because the term "singleton bag" is not used at all
> in the XACML specification document, 
> I think the meaning should be explicitly defined 
> if the term is used in the XACML Implementers Guide.

I don't really think it needs to be mentioned. I believe it is in the
non-normative text as a clarification. (Although I have forgotten from
where you got it). The "things" returned from designators and selectors
are "bags", whether they are empty, or have one or more elements.

> >> I don't understand your point. The "applicability" test is based solely 
> on
> >> the evaluation of the target, whether it is only-one-applicable, or
> >> first-applicable.
> 
> In my understanding, the applicability test for "only-one-applicable"is
> different from the one for "first-applicable".

That is true. The difference is that effectively only-one-applicable must
effectively evaluate all constituent policies, and first-applicable does
not.

> 
> Appendix C.4 says that:
> In the entire set of policies in the policy set, if no policy is
> considered applicable by virtue of their targets, then the result of the
> policy combination algorithm SHALL be "NotApplicable". If more than one
> policy is considered applicable by virtue of their targets, then the
> result of the policy combination algorithm SHALL be "Indeterminate".

This specification is unfortunate. Because if more than two applicable
policies exist, one of them can certainly evaluate to Inapplicable.
However, it's evaluation as stated here is consistent with the logic. 

In my humble logical opinion, this combining rule sucks.
But I lost the argument on that one. :)

> So I think the applicability test for "only-one-applicable" is based
> solely on the evaluation of the target, and it seems to me that this is
> what Section 6 tries to note in the XACML Implementers Guide.

Unfotunately, I have not looked at the Implementor's guide.

> On the other hand, the applicability test for "first-applicable" is NOT
> based solely on the target evaluation. For example, in case of
> rule-combining, it is based on both the target and condition. So I don't
> think Section 6 in the XACML Implementers Guide is not a good note on
> "first-applicable".

And on the policy combining rule it should be based on the target and the
full evaluation of the consituent policies. As I hope the following
section will point out.

 > Appendix C.3 says that:

> For a particular rule, if the target matches and the condition evaluates
> to "True", then the evaluation of the policy SHALL halt and the
> corresponding effect of the rule SHALL be the result of the evaluation
> of the policy (i.e. "Permit" or "Deny").
> 
> For a particular policy, if the target evaluates to "True" and the
> policy evaluates to a determinate value of "Permit" or "Deny", then the
> evaluation SHALL halt and the policy set SHALL evaluate to the effect
> value of that policy.

I don't like the word "halt", but it gets the meaning across. It should
say something to the effect in the order of the listed constituent
policy/rules the first one that yields a result of
(Permit/Deny/Indeterminate) shall be the result of the encompassing
policyset/policy. That way there isn't any kind of implication that these
things are evaluated in order in a lock step fashion. For instance, they
can be evaluated in parallel.

Cheers,
-Polar

> Satoshi Hada
> IBM Tokyo Research Laboratory 
> mailto:satoshih@jp.ibm.com
> 
> 
> 
> 
> Polar Humenn <polar@syr.edu>
> 2003/04/18 22:29
>  
>         To:     Satoshi Hada/Japan/IBM@IBMJP
>         cc:     xacml-comment@lists.oasis-open.org
>         Subject:        Re: [xacml-comment] Two comments on XACML 
> Implementers Guide
> 
>  
> 
> On Fri, 18 Apr 2003, Satoshi Hada wrote:
> 
> > Two comments on XACML Implementers Guide:
> > 
> http://www.oasis-open.org/committees/xacml/repository/xacml-implement-guide-1.1.doc
> 
> > 
> > >> Section4 Bags
> > >> A singleton bag is NOT the same
> > >> as an instance of the datatype contained in the bag.
> > 
> > What does "a singleton bag" mean?
> > Does it mean a bag that contains a single attribute value?
> 
> Yes. 
> 
> > >> Section6 Combining algorithm.
> > >> First-Applicable: The "applicability" test is based solely on 
> > >> evaluation of the Target.
> > 
> > It seems to me that this is a description about 
> > Only-one-applicable (Appendix C.4)
> > rather than First-applicable (Appendix C.3).
> 
> I don't understand your point. The "applicability" test is based solely on
> the evaluation of the target, whether it is only-one-applicable, or
> first-applicable. Are you saying that the descriptions in Section six are 
> merely misplaced?
> 
> Cheers,
> -Polar
> 
> > Satoshi Hada
> > IBM Tokyo Research Laboratory 
> > mailto:satoshih@jp.ibm.com
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-comment-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-comment-help@lists.oasis-open.org
> 
> 
>