[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] change request: xacml context attributes and data types
Polar, I assume we have x500Name data type and rfc822Name data type. (At least those types are mentioned in the current draft). In other words, they are not merely strings. In this case, in your example there is type conversion error and result would be inderteminate. Simon ----- Original Message ----- From: "Polar Humenn" <polar@syr.edu> To: "Simon Godik" <simon@godik.com> Cc: <xacml@lists.oasis-open.org> Sent: Friday, September 27, 2002 6:58 AM Subject: Re: [xacml] change request: xacml context attributes and data types > > > I agree with removing the dataType attribute from the > xacml-context:Attribute. > > However, the implications are this: > > If you have an Attribute of "subject-id" and its value is: > > <AttributeValue>CN=Simon Godik, O=OverXeer, OU=Research</AttributeValue> > > What does the designator: > > <SubjectMatch MatchId="function:rfc822Name-equal"> > <SubjectAttributeDesignator AttributeId="subject-id"/> > <AttributeValue>simon@godik.com</AttributeValue> > </SubjectMatch> > > evaluate to? > > Does it evaluate to "indeterminate" because the formal type of > rfc822Name-equal is > xacml:rfc822Name -> xacml:rfc822Name -> Bool > and the attribute value is an invalid representation of an rfc822Name. > > Or does it evaluate to "false"? > > The question in the context of its application, the > <SubjectAttributeDesignator Attribute="subject-id"> > shall return a bag of "rfc822Name", which means that every "subject-id" > attribute must have a parseable rfc822Name representation as a value. > > So, does the designator return "indeterminate" because not *all* values > under "subject-id" are valid string representations of rfc822Name? > > Or does it return a bag of rfc822Names of *only* the values under > "subject-id" that do have valid string representations of rfc822Names? In > the example above for the latter case, this designator would return an > empty bag. > > I don't think I'll be able to comment much further, I have to leave real > soon. It's food for thought. > > Cheers, > -Polar > > > > On Fri, 27 Sep 2002, Simon Godik wrote: > > > Currently <xacml-context:Attribute> element allows DataType attribute. > > > > Rationale for keeping DataType attribute in the <xacml-context:Attribute> element was that > > it can sometimes be helpful, such as specifiying subject-id format, like > > subject-id="cn=simon", data-type="x500-name" > > > > But this information is redundant, because subject-id attribute will be passed to the specific > > function that expects arguments of certain type. For example, if subject-id is passed to > > the x500Name-equal function it expects it's arguments to be in x500 name format. > > > > So data type does not add value here. > > > > Another problem is that we can not access DataType attribute with AttributeDesignator. > > > > Proposal: remove DataType attribute from the <xacml-context:Attribute>. > > > > Simon > > > > > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC