[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] change request: xacml context attributes and data types
I have limited internet access, and I'm really busy here downing the Vodka with ZZTop, who was staying at the hotel last night after their concert. I haven't gotten to even open up V17 yet. So we are back to putting the x500Name data type back in the attribute designator? Geez, I thought the vodka was making my head spin! -Polar On Fri, 27 Sep 2002, Simon Godik wrote: > Polar, > I assume we have x500Name data type and rfc822Name data type. > (At least those types are mentioned in the current draft). > In other words, they are not merely strings. > In this case, in your example there is type conversion error > and result would be inderteminate. > Simon > > ----- Original Message ----- > From: "Polar Humenn" <polar@syr.edu> > To: "Simon Godik" <simon@godik.com> > Cc: <xacml@lists.oasis-open.org> > Sent: Friday, September 27, 2002 6:58 AM > Subject: Re: [xacml] change request: xacml context attributes and data types > > > > > > > > I agree with removing the dataType attribute from the > > xacml-context:Attribute. > > > > However, the implications are this: > > > > If you have an Attribute of "subject-id" and its value is: > > > > <AttributeValue>CN=Simon Godik, O=OverXeer, OU=Research</AttributeValue> > > > > What does the designator: > > > > <SubjectMatch MatchId="function:rfc822Name-equal"> > > <SubjectAttributeDesignator AttributeId="subject-id"/> > > <AttributeValue>simon@godik.com</AttributeValue> > > </SubjectMatch> > > > > evaluate to? > > > > Does it evaluate to "indeterminate" because the formal type of > > rfc822Name-equal is > > xacml:rfc822Name -> xacml:rfc822Name -> Bool > > and the attribute value is an invalid representation of an rfc822Name. > > > > Or does it evaluate to "false"? > > > > The question in the context of its application, the > > <SubjectAttributeDesignator Attribute="subject-id"> > > shall return a bag of "rfc822Name", which means that every "subject-id" > > attribute must have a parseable rfc822Name representation as a value. > > > > So, does the designator return "indeterminate" because not *all* values > > under "subject-id" are valid string representations of rfc822Name? > > > > Or does it return a bag of rfc822Names of *only* the values under > > "subject-id" that do have valid string representations of rfc822Names? In > > the example above for the latter case, this designator would return an > > empty bag. > > > > I don't think I'll be able to comment much further, I have to leave real > > soon. It's food for thought. > > > > Cheers, > > -Polar > > > > > > > > On Fri, 27 Sep 2002, Simon Godik wrote: > > > > > Currently <xacml-context:Attribute> element allows DataType attribute. > > > > > > Rationale for keeping DataType attribute in the > <xacml-context:Attribute> element was that > > > it can sometimes be helpful, such as specifiying subject-id format, like > > > subject-id="cn=simon", data-type="x500-name" > > > > > > But this information is redundant, because subject-id attribute will be > passed to the specific > > > function that expects arguments of certain type. For example, if > subject-id is passed to > > > the x500Name-equal function it expects it's arguments to be in x500 name > format. > > > > > > So data type does not add value here. > > > > > > Another problem is that we can not access DataType attribute with > AttributeDesignator. > > > > > > Proposal: remove DataType attribute from the <xacml-context:Attribute>. > > > > > > Simon > > > > > > > > > > > > > > > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC