Re: [xacml] XACML Issues List Version 01

[Pierangela Samarati <samarati@pinky.crema.unimi.it>]

Hi
  
> I believe Periangela's list was missing one issue from Tim, so that will
> have to be added in.

yes, i was missing a proposal by Tim with respect to issue
[PM-1-02: Post-conditions]. I included it in by changing the description 
of the issue in my copy while on the concall monday as reported below.
could you pls substitute the paragraph below to the current one?
thx.

best
-p

----------------------------------------

  * post-condition. The current schema [Tim, Jan.3] mentions
    post-conditions, distinguishing between external and internal,
    depending on whether their execution requires dialoging with
    external entities. The current schema suggests (via a comment)
    that post-conditions can be expressed as invocations of SOAP
    services. Post-conditions are still to be discussed in details:
    what is their semantics; how are they executed? A complication of
    post-conditions associated with a rule involves the distributed
    scenario (see POLICY COMPOSITION issue). In fact, if I say that a
    post-condition should be applied whenever a rule fires then I have
    to evaluate *all* rules. A possible way to overcome this problem
    is to consider that post-conditions associated with the
    authorizations that were evaluated to get to an access decision
    should be executed [Tim]. Note: a possible drawback of this
    approach is that deterministic behavior may be lost. For instance,
    there may be N rules applying to an access. If the evaluation of 1
    of them brings to a ``permit'' decision (so there is no need to
    evaluate the others). Then, you would ignore the postconditions
    possibly associated with the other N-1. Different execution of the
    same request on the same state could then have a different
    behavior (because a different rule is considered as authorizing
    the request. 

------------------------------------------------------------