[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: The x500Name-match function is not clearly defined
The description of the x500Name-match function in Appendix A.3.14 of the XACML 3.0 core specification is ambiguous. The function operates on values of the x500Name data-type, which despite its name uses the LDAP DN format for its concrete syntax. The source of ambiguity in the function definition comes from the fact that LDAP orders the RDNs in a distinguished name in the opposite order to X.500. In my experience, the most common use case for matching of DNs after straight equality matching is testing whether one entry (the descendant) is in the subtree of another entry (the ancestor), including the possibility that they are the same entry. In X.500 terms this means testing whether the DN of the ancestor is the same as, or a prefix of, the DN of the descendant. In LDAP terms this means testing whether the DN of the ancestor is the same as, or a suffix of, the DN of the descendant. It is plausible that this is what the x500Name-match is meant to do so this is how I have implemented it. However, it would better if the standard made this clear. I note also from the mail archives that the precise meaning of "some terminal sequence of RDNs" is open to interpretation. Here is my suggestion for an improved description of the x500Name-match function: This function shall take two arguments of "urn:oasis:names:tc:xacml:1.0:data-type:x500Name" and shall return an "http://www.w3.org/2001/XMLSchema#boolean". It shall return "True" if and only if there is a contiguous sequence of RDNs in the second argument that includes the final (rightmost) RDN and is equal to the first argument according to the x500Name-equal function. For example, the following expression SHALL return "True": <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:x500Name-match"> <AttributeValue DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name" >ou=Finance,o=Acme</AttributeValue> <AttributeValue DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name" >cn=John Smith,ou=Finance,o=Acme</AttributeValue> </Apply> Note that LDAP encodes the RDNs in the reverse order to X.500. XACML uses the LDAP encoding for the x500Name data-type and this function is defined in terms of the LDAP ordering. Regards, Steven
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]