[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] bags and targets. Forwarded message from Seth Proctor.
On Thu, 17 Oct 2002, Seth Proctor wrote: > > > This sentence means exactly what it says. If the the selector or > > designator evalutates to an empty bag, then there is no match, i.e. the > > match "predicate" is False. > > Yes, I understand that. What I don't understand is how the bag could be empty > and not have that be an Indeterminate case. This is the only question I was > asking. If I ask you whether or not you have any bills in your wallet that have a picture of Ulysses S. Grant on them. What will you tell me? -Polar > > If an AD or AS is asked to resolve a particular attribute, and it fails to > do so, then this is an indeterminate state, and typically a Status message > gets returned about some missing attributes. The spec is very clear that in > a match operation, if the AD/AS fails to resolve a value and returns > Indeterminate, then the match evaluates to Indtereminate immedeately. > > The sentence that I called out, however, suggests that an AD/AS can return > an empty bag and not have that be a failure case. Thus, my question. How can > the bag be empty and not represent a failure. the one case I suggested is that > the Attribute in the Request had no AttributeValues associated with it. If > this is the correct explination, then the text should be explicit and expain > this. If this is not the case, then the text should explain what's going on. > Either way, there needs to be clarification here, and probably in the section > on AD/AS types as well. > > > The match predicate is akin to asking, "Do you have one or more of any > > subject ids that match "john.*". If you have none, then False, if you have > > at least one, then True. > > > > This is a composition of three functions: an Attribute Designator i.e. > > "Get me all subject ids", a match filter, i.e. "that match 'john.*', and a > > length predicate "length > 0". > > > > Regardless of the match filter, if you have zero elements to start with, > > you will end up with zero elements after you apply the match filter, and > > therefore, vacuously, you don't have a match. > > This is all made clear by the spec. I wasn't asking for clarification on any > of these points. > > > seth >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC