Re: [xacml] bags and targets. Forwarded message from Seth Proctor.

[Anne Anderson <Anne.Anderson@Sun.com>]

On 18 October, Polar Humenn writes: Re: [xacml] bags and targets. Forwarded message from Seth Proctor.
 > If you really want an indeterminate, you may wrap the attribute designator
 > in an apply of "*-one-and-only". This forces an Indeterminate error if
 > there isn't one attribute. Simiarly, you can write "*-greater-than" on the
 > "*-length", etc.
 > 
 > I strongly suggest that policy writers should not be relying on
 > "Indeterminate" for evaluations.  It is an error condition, not a valid
 > access decision.
 > 
 > Writers (or should I say their tools) should be using "present" in boolean
 > expressions that lead to the desired effect.

You can't use "present" or "*-one-and-only" or "*-length" in a
<Target>.  This means any policy where you really care about
whether an attribute is present or not will have to use an <Any*>
Target, and thus will always need to be evaluated (can't
eliminate by indexing).

I strongly suggest that policy writers should not be relying on
absence of an attribute for evaluations.  It is indeterminate,
not a valid access decision. :-)

Note that there are numerous places in the spec that will need to
be re-written or clarified to conform with your interpretation of
attribute retrieval.

I think this is something that has not been clearly understood by
all the TC members, but it is critical to the semantics of XACML.
I can live with Polar's interpretation, although I think it is
wrong and dangerous to security.  If we accept his
interpretation, however, we need to be very clear in spelling out
how his interpretation applies to policy evaluation.  That is not
currently the case, as witnessed by this entire disagreement.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692