OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Concrete Proposal of ConditionReference (#7)

On Thu, 5 Feb 2004, Seth Proctor wrote:

> On Thu, 2004-02-05 at 10:33, Polar Humenn wrote:
> > If you call it an ExpressionRef this kind of means you substitute the
> > Expression and then evaluated when the expression containing the
> > reference gets evaluated. If you call it a ValueRef, this kind of
> > means that you evaluate it first and then substitute the value where the
> > reference appears.
> >
> > In any case, we must say that Expressions represent Values, and that no
> > matter when they are evaluated the must represent the same value.
> Ah. This is a key point that has not come up in the conversation before.

Oh, it has, maybe before your time. We've always held XACML to be a
"declarative" language. And the given the same policy, and the same input,
in all cases all PDPs should return the same value.

> Is this really the right way to go?

It would make me sleep better at night.

> If I have a designator that references something that changes over the
> course of the evaluation, I now have to keep its value constant? What
> about if I cache a policy over many evaluations? Hrm.

The value must remain constant for the entire evaluation. This requirement
is enforced implicitly. You apply a policy evaluation (and sub-policy
evaluations) to the same RequestContext.

> Originally, this work item was proposed as nothing more than syntactic
> sugar. It was supposed to help clean up policies. In our discussion of
> recursive references, I pointed out that the proposal is actually
> changing the meaning of the "condition" logic, so it's more than just a
> superficial change. This latest idea, that a Definition remains constant
> throughout an evaluation, further changes what the logic in a Rule
> means. Now, as a policy writer, I have to think about whether some
> designator or function may produce different values, and therefore
> whether it's safe to use them in a Def/Ref. This makes me really
> nervous. I would not support this approach without some very careful
> language and thought about what this feature actually does to the PDP.

If what you say were really the case, we couldn't hope for
interoperability or consistent evaluation even by the time Jenna Bush is
ordained president of the united states.

As a policy writer, you must have the assurance that your values will not
change at some arbitrary point in the evaluation. We enforce that by
saying XACML is a declarative language.

> As an aside, I've seen a number of proposals lately that specify schema
> changes but don't have language to explain the semantics of the
> proposal. When I say that I haven't seen a full proposal for item #7,
> it's partially because I haven't seen any language discussing how the
> feature is used. Let's get this nailed down before we proceed.

I will help Simon on this, provided Simon takes care of the XML Schema
syntax, of which he is much more adept than I. I'm getting on a plane in a
half and hour and won't be back in the office until Tuesday. So, it may
have to wait until after that.


> seth
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]