RE: [xacml] CR: Policy Indexing

[Tim Moses <tim.moses@entrust.com>]

Title: CR: Policy Indexing

Hal - I have no objection to your redrafting that section.  Remember, though, that separate policies applicable to the same request do not identify an algorithm for combining them, unless they are encapsulated in a policy set containing an identifier for a combining algorithm.  That policy set becomes the single policy applicable to the request.  I am open to the idea that the current explanation may be confusing.  But, by my understanding, we cannot present a PDP with multiple policies for a request, because it won't know how to combine them.  All the best.  Tim.

-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Friday, October 11, 2002 12:11 PM
To: 'xacml@lists.oasis-open.org'
Subject: [xacml] CR: Policy Indexing

Section 2.8 describes two policy indexing strategies. This seems like a reasonable discussion to motivate the use of target, but I have a couple of concerns.

1. My most important concern is that it states that "only one policy statement applies". This is contrary to my understanding (or what are combining algorithms for?) and it appears to contradict section 2.2 specifically.

2. I really don't see that strong a distinction between the two cases and I suspect that they are not the only possibilities either. It seems to me that the general case is basically that you have a bunch of policies stored someplace and you need to find the ones (hopefully using some efficient technique) who's Targets match the corresponding fields in the Request Context. Period.

Amy I missing some subtleties here? If there is general agreement, I would be willing to draft some text, but I don't want to do so until there is consensus.

Hal