[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XACML 3.0 wd 7
Hi, the section about the combining algorithms has been reworked, and I found some new mistakes in it: In the policy combining algorithm deny-overrides, the outcome of step 2 should probably be Indeterminate, not Deny. That would match more closely with the intention of the deny-overrides rule combining algorithm. The wording in the definitions is a bit confusing: It says "The following is the specification: The following is non-normative: (some informative text) (some normative text)". I would reword that into: ---start quote--- C.1 Deny-overrides [Informative Note: The deny-overrides rule combining algorithm is intended for those cases where a deny decision should have priority over a permit decision.] The following specification ... ---end quote--- In the permit-overrides policy combining algorithm the steps 2 and 3 are swapped (compared with deny-overrides). Why? It shouldn't be, since an Indeterminate result could mean Permit. Roland
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]