OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-comment] XACML 3.0 wd 7

Thanks Roland,

See inline.

Roland Illig wrote:
> Hi,
> the section about the combining algorithms has been reworked, and I
> found some new mistakes in it:
> In the policy combining algorithm deny-overrides, the outcome of step 2
> should probably be Indeterminate, not Deny. That would match more
> closely with the intention of the deny-overrides rule combining algorithm.

This is the old deny overrides policy combining algorithm which indeed 
returns Deny in case there is an indeterminate, which is, as you say, 
different from how the rule combining algorithm works. That is how it 
has been since XACML 1.0 and we cannot change this. We had a long 
discussion on the TC list about it in the past months, and we recognized 
this problem, and called it "bias". Since we don't want to change the 
semantics of already defined identifiers, there is now new identifiers 
for new combining algorithms which you can see in the recent WD 8.

BTW, you are very welcome to give the new algorithms a thorough review. 
We really appreciate more eye balls which can spot mistakes. :-)

> The wording in the definitions is a bit confusing: It says "The
> following is the specification: The following is non-normative: (some
> informative text) (some normative text)". I would reword that into:
> ---start quote---
> C.1 Deny-overrides
> [Informative Note: The deny-overrides rule combining algorithm is
> intended for those cases where a deny decision should have priority over
> a permit decision.]
> The following specification ...
> ---end quote---

I agree that the current wording is confusing. I will improve it. Thanks.

> In the permit-overrides policy combining algorithm the steps 2 and 3 are
> swapped (compared with deny-overrides). Why? It shouldn't be, since an
> Indeterminate result could mean Permit.

Again, this is how things were in XACML 1.0, and we cannot change that. 
I wasn't part of that work, but I think it was because some members of 
the TC probably felt that the safe thing is to give priority to Deny. 
However, deciding that is not the role of the general *-overrides 
combining algorithms to decide. It's either for the PEP to have a bias, 
or the policy author can use the new combining algorithms from WD 8 to 
eliminate Indeterminates. Again, see the long discussions in the recent 
months on the TC list.

Best regards,

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]