OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] CR: Policy Indexing

Title: RE: [xacml] CR: Policy Indexing

I agree.

Hal

> -----Original Message-----
> From: Polar Humenn [mailto:polar@syr.edu]
> Sent: Friday, October 11, 2002 2:43 PM
> To: Hal Lockhart
> Cc: 'xacml@lists.oasis-open.org'
> Subject: Re: [xacml] CR: Policy Indexing
>
>
> On Fri, 11 Oct 2002, Hal Lockhart wrote:
>
> > Section 2.8 describes two policy indexing strategies. This
> seems like a
> > reasonable discussion to motivate the use of target, but I
> have a couple of
> > concerns.
> >
> > 1. My most important concern is that it states that "only one policy
> > statement applies". This is contrary to my understanding
> (or what are
> > combining algorithms for?) and it appears to contradict section 2.2
> > specifically.
>
> I agree. I drafted a One-applicable-policy combining
> algorithm to handle
> this case. Inconjunction, in Section 7.1, it states that a PDP shall
> represent One Policy or Policy Set.
>
> That should take care of it.
>
> However, the next sentence in 7.1. may be worrysome, which
> says "Should
> the PDP be dynamic in nature in retrivin policies based on
> the request,
> the PDP ShALL act as if it represents a single policy set
> with the "Only
> One APplicable Policy" policy combining algorithm."
>
>
> So, what I think this is saying is that if you do not
> explicity configure
> your PDP with a single Policy or Policy Set, it specifies a default
> behavior of finding the "only" policy that should apply.
>
> Hal, do you think this jives?
>
> I think we should really get rid of the text that stipulates
> that only one
> policy applies in Section 2.8, and leave it to the 7.1 section.
>
> Cheers,
> -Polar
>
>
> >
> > 2. I really don't see that strong a distinction between the
> two cases and I
> > suspect that they are not the only possibilities either. It
> seems to me that
> > the general case is basically that you have a bunch of
> policies stored
> > someplace and you need to find the ones (hopefully using
> some efficient
> > technique) who's Targets match the corresponding fields in
> the Request
> > Context. Period.
> >
> > Amy I missing some subtleties here? If there is general
> agreement, I would
> > be willing to draft some text, but I don't want to do so
> until there is
> > consensus.
> >
> > Hal
> >
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC