OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-comment] Public Comment

On 10 November, diego gonzalez writes: RE: [xacml-comment] Public Comment
 > I think this question can be completed with the following comment. In
 > the section 7.5 there is a list of functions that meet the requirements
 > to be used in a Match operation. Those functions are prefixed with
 > "urn:oasis:names:tc:xacml:2.0:function", it means all the funtions will
 > change its prefix in 2.0 or this is a typo error?

Only new functions that were not in XACML 1.0/1.1 should have the
urn:oasis:names:tc:xacml:2.0:function namespace.

 > And also raises the following question about the new functions: There
 > will be new "match-related" functions for the new data types?
 > 
 > urn:oasis:names:tc:xacml:2.0:function:-dnsName-equal
 > urn:oasis:names:tc:xacml:2.0:function:-dnsName-greater-than
 > urn:oasis:names:tc:xacml:2.0:function:-dnsName-greater-than-or-equal
 > urn:oasis:names:tc:xacml:2.0:function:-dnsName-less-than
 > urn:oasis:names:tc:xacml:2.0:function:-dnsName-less-than-or-equal
 > urn:oasis:names:tc:xacml:2.0:function:-dnsName-match
 > 
 > urn:oasis:names:tc:xacml:2.0:function:-ipAddress-equal
 > urn:oasis:names:tc:xacml:2.0:function:-ipAddress-greater-than
 > urn:oasis:names:tc:xacml:2.0:function:-ipAddress-greater-than-or-equal
 > urn:oasis:names:tc:xacml:2.0:function:-ipAddress-less-than
 > urn:oasis:names:tc:xacml:2.0:function:-ipAddress-less-than-or-equal
 > urn:oasis:names:tc:xacml:2.0:function:-ipAddress-match

No.  There will not be new match functions here.
o ipAddress-equal and dnsName-equal are not very helpful because
  of the varied formats in which such data are expressed.
o greater-than, ... functions for dnsName are not semantically
  meaningful (unless converted to ipAddress)
o greater-than, ... functions for ipAddress would make some
  sense, but we have not tried to define them.  Support for
  ipAddress-match using masks would have been nice, but we could
  not find a good reference function.

After much argument, we decided that using regular expression
matches would be the most "standard" way to handle matching of
ipAddress and dnsName types, not requiring the implementation of
new, non-standard functionality.

Anne

 > Thanks,
 > Diego Gonzalez
 > Lagash Systems SA
 > 
 > -----Original Message-----
 > From: comment-form@oasis-open.org [mailto:comment-form@oasis-open.org] 
 > Sent: Tuesday, November 09, 2004 11:54 PM
 > To: xacml-comment@lists.oasis-open.org
 > Subject: [xacml-comment] Public Comment
 > 
 > Comment from: Haruyuki.Kawabe@unisys.co.jp
 > 
 > Following datatypes and functions are introduced since XACML 2.0:
 >  - dnsName
 >  - ipAddress
 >  - regexp-dnsName-match
 >  - regexp-ipAddress-match
 >  - regexp-uri-match
 > They are defined in the namespace
 > "urn:oasis:names:tc:xacml:1.0:data-type" and
 > "urn:oasis:names:tc:xacml:1.0:function" respectively.
 > They should be defined in the XACML 2.0 namecpase
 > "urn:oasis:names:tc:xacml:2.0" as same as string-concatenate and
 > uri-string-concatenate.
 > 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]