[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] Re: [xacml-comment] D024
It seems to me that we are not talking about the same "time". XACML does not specify (and can not specify) the content of the context at "compile" time - i.e. policy exists independent of the context. How can it be guaranteed to be typechecked simultaneously (though it certainly can be done, in particular implementations that do have control over context and do not have external function extensions)? Only certain arguments can be always typechecked in advance (such as static value specified in policy, or <apply> elements). This is actually why it is important to NOT have polymorphic functions in condition, so that <apply> element always has a predefined type, even if its arguments are retrieved from context in the runtime.. D; -----Original Message----- From: Simon Godik [mailto:simon@godik.com] Sent: Tuesday, December 03, 2002 9:22 AM To: XACML TC Subject: Re: [xacml] Re: [xacml-comment] D024 Anne, In my opinion, compile-time policy type-checking is essential (although not normative) for the xacml implementation. If you do not have typechecking done you are never sure what is going to happen at run-time. I do not think that run-time type-checking is 'clean', I think it is 'wrong'. Static typechecker will reject policies you may find appropriate just because they pass schema validation. Simon ----- Original Message ----- From: "Anne Anderson" <Anne.Anderson@Sun.com> To: "XACML TC" <xacml@lists.oasis-open.org> Sent: Tuesday, December 03, 2002 9:04 AM Subject: [xacml] Re: [xacml-comment] D024 > Polar, I disagree. In my opinion, the type checking for > arguments to functions should be done at the time the function is > evaluated, not at the time the policy is parsed. Since we have > not specified the type-correctness of XACML functions using XML, > the type correctness must be checked after the policy is parsed > by the XML parser. It could be done as a second, XACML-specific > parsing step, but I believe it is probably cleaner to have the > type checking done at the time the function is evaluated. This > may make it easier to deal with plug-in custom functions. > > Anne Anderson > > On 3 December, Polar Humenn writes: Re: [xacml-comment] D024 > > From: Polar Humenn <polar@syr.edu> > > To: Anne Anderson <Anne.Anderson@sun.com> > > Subject: Re: [xacml-comment] D024 > > Date: Tue, 3 Dec 2002 10:51:40 -0500 (EST) > > > > > > D024 > > > > The condition that John is referring to in > > > > urn:oasis:names:tc:xacml:1.0:conformance-test:IID024:policy3 > > > > in test D024 is not type correct and therefore is not a valid policy, and > > therefore not a valid policy set. Although it might niavely parse through > > the policy-schema, it should not even be evaluated, because it is not type > > correct. > > > > Cheers, > > -Polar > > > > On Tue, 3 Dec 2002, Anne Anderson wrote: > > > > > John Merrells, > > > > > > As in D002, this Condition was intended to produce an > > > Indeterminate result (by passing the wrong argument type to the > > > function) in order to test the requirements of the > > > "first-applicable" algorithm, which says that a Permit or Deny > > > result will be returned even if an Indeterminate result follows. > > > > > > Please let me know if I am overlooking something. > > > > > > Anne Anderson > > > > > > On 26 November, John Merrells writes: [xacml-comment] D024 > > > > From: John Merrells <merrells@jiffysoftware.com> > > > > To: "'xacml-comment@lists.oasis-open.org'" <xacml-comment@lists.oasis-open.org> > > > > Subject: [xacml-comment] D024 > > > > Date: Tue, 26 Nov 2002 17:36:20 -0800 > > > > > > > > > > > > Same as D002... > > > > > > > > <Condition > > > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > > > > <SubjectAttributeDesignator > > > > > > > > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > > > > DataType="http://www.w3.org/2001/XMLSchema#string"/> > > > > <AttributeValue > > > > > > > > DataType="http://www.w3.org/2001/XMLSchema#string";>Zaphod > > > > Beedlebrox</AttributeValue> > > > > </Condition> > > > > > > > > > > > > > > > > ---------------------------------------------------------------- > > > > To subscribe or unsubscribe from this elist use the subscription > > > > manager: <http://lists.oasis-open.org/ob/adm.pl> > > > > > > > > > > -- > > > Anne H. Anderson Email: Anne.Anderson@Sun.COM > > > Sun Microsystems Laboratories > > > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > > > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > > > > > > > > ---------------------------------------------------------------- > > > To subscribe or unsubscribe from this elist use the subscription > > > manager: <http://lists.oasis-open.org/ob/adm.pl> > > > > > > > > > -- > Anne H. Anderson Email: Anne.Anderson@Sun.COM > Sun Microsystems Laboratories > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> > > > ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC