OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] change request: xacml context attributes and data types

i suggest that this has to evaluate to FALSE.

INDETERMINATE implies that the value is out of scope of the data set. while it may be argued that this is true at the philosophical level, i don't think it is consistent with how we are handling similar issues--what happens if a PEP requests to 'toad the wet sprocket' (resource unknown, action unknown)?

this is consistent with my current assumptions that these values will be evaluated as [right-to-left] string comparisons. if that isn't the case, then i would like to hear the reasoning for requiring the logic necessary to differentiate between the two at evaluation time (explicit vs. implicit run-time type validation)

b

Polar Humenn wrote:
> 
> I agree with removing the dataType attribute from the
> xacml-context:Attribute.
> 
> However, the implications are this:
> 
> If you have an Attribute of "subject-id" and its value is:
> 
>   <AttributeValue>CN=Simon Godik, O=OverXeer, OU=Research</AttributeValue>
> 
> What does the designator:
> 
> <SubjectMatch MatchId="function:rfc822Name-equal">
> 	<SubjectAttributeDesignator AttributeId="subject-id"/>
> 	<AttributeValue>simon@godik.com</AttributeValue>
> </SubjectMatch>
> 
> evaluate to?
> 
> Does it evaluate to "indeterminate" because the formal type of
> rfc822Name-equal is
>          xacml:rfc822Name -> xacml:rfc822Name -> Bool
> and the attribute value is an invalid representation of an rfc822Name.
> 
> Or does it evaluate to "false"?
> 
> The question in the context of its application, the
> 	<SubjectAttributeDesignator Attribute="subject-id">
> shall return a bag of "rfc822Name", which means that every "subject-id"
> attribute must have a parseable rfc822Name representation as a value.
> 
> So, does the designator return "indeterminate" because not *all* values
> under "subject-id"  are valid string representations of rfc822Name?
> 
> Or does it return a bag of rfc822Names of *only* the values under
> "subject-id" that do have valid string representations of rfc822Names? In
> the example above for the latter case, this designator would return an
> empty bag.
> 
> I don't think I'll be able to comment much further, I have to leave real
> soon.  It's food for thought.
> 
> Cheers,
> -Polar

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC