OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: XACML 3.0 wd 7


the section about the combining algorithms has been reworked, and I
found some new mistakes in it:

In the policy combining algorithm deny-overrides, the outcome of step 2
should probably be Indeterminate, not Deny. That would match more
closely with the intention of the deny-overrides rule combining algorithm.

The wording in the definitions is a bit confusing: It says "The
following is the specification: The following is non-normative: (some
informative text) (some normative text)". I would reword that into:

---start quote---
C.1 Deny-overrides

[Informative Note: The deny-overrides rule combining algorithm is
intended for those cases where a deny decision should have priority over
a permit decision.]

The following specification ...
---end quote---

In the permit-overrides policy combining algorithm the steps 2 and 3 are
swapped (compared with deny-overrides). Why? It shouldn't be, since an
Indeterminate result could mean Permit.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]