[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Proposal on item 7 ConditionReference
On Tue, 9 Dec 2003, Daniel Engovatov wrote: > Why only within a single policy? The policy is a self-contained unit. It is a completely contained expression of access. To have references outside of the policy, complicates type checking and evaluation. > Is not our type and data structure shared between policies? Not for instances. > PIP may, and should not be aware of multiple policies as far as I > understand. To tell you the truth, I don't even know what a PIP is. The Request Context contains all the information that is needed to evaluate a policy. > Why could not attribute type declarations and expressions be shared? Is > there any fundamental objection to that, besides the fact that we do not > have a place to share it - a context schema and document - for now? I will object. Sharing an expression by reference amongst policies presents a number of problems. 1. The policy writer may not know who wrote the expression behind the reference and what it may mean. 2. Type complications. How will you type check the reference to the expression? 3. Dynamic binding and evaluation complications. How will you evaluate the expression behind the reference? Who will evaluate it? How will you trust it? It then becomes a point of adminstration. We've argued this same concept before, and we have consistently said that the <Policy> was the smallest unit of adminstration. Cheers, -Polar
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]