OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] Agenda for November 15 Telecon...

i am having trouble coming to grips with this concept in a practical sense.

here is an example of something that i work with on a regular basis: 
content filtering.

let's suppose that i want to use a  PEP to filter e-mail/news/media 
feeds, etc. based upon content. here are some examples:

ALLOW (the easy stuff)


DENY ('score' based, may require multiple hits to deny)
Content: [(no)?(without)?].obligation
Content: over.(18|eighteen)
Content: bargain
Content: (^debt|[ ]debt)
Content: save.big
Content: no.*fee

this is a small sample of the hundreds (if not thousands) of conditions 
that can be used (i personally have hundreds). conversely, the number of 
possible character combinations comprising a request is litterally 
infinite. describing the ALLOWs is easy, but how does one generate a 
policy that says:

deny message if the content contains: (^debt|[ ]debt) ?



Pierangela Samarati wrote:

 > Hi
 > as mentioned in the concall today al the last policy committee
 > call we discussed the issue of positive (meaning permissions; e.g.,
 > "this principal can access this resource") and negative authorizations
 > (meaning denials: "this principal cannot access this resources").
 > While it is true that you cannot do with permissions alone (many cases
 > call for more flexibility), it is also true that having denials
 > complicates the framework (mostly also since when you start having 
 > you start thinking of the different semantics that they can carry - and
 > that who specified the rule may have intended).
 > i had proposed an alternative solution inspired by a recent work, which
 > goes as follows. Distinguish two kinds of rules:
 > 1) the ones that specify sufficient conditions (which are the permissions
 > above)
 > 2) the ones that specify necessary conditions.
 > instead of repeating descriptions and examples here, i am attaching you a
 > file of that work where the two forms of rules are introduced (Section
 > 4.2). Of course our language is different as more expressive; but that
 > gives the idea.
 > only one thing, what i call "subject"
 > there is our "principal", what i call "object" is our "resource"
 > pls just send me email (or post the group) for any clarification that may
 > be needed, and any comments.
 > best
 > -p

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC