OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] Concrete Proposal of ConditionReference (#7)

>We didn't state it in the specification? But I guess we are still on
>page on this one, anyway.

I hope we did not.  Unlike specifics of the functions behaviour (and
properties of the expression references for that matter), virtual
context is not ours to regulate, I believe.

>I thought the reasons we adopted unordered bag functions was because of
>the shouldn't rely on getting the answers back in a specific order for
>query evaluation.  That is, one PDP may get them back in a different
>than another PDP.

I thought it is not only about different PDPs.  Nothing explicitly
prohibits a single PDP to be distributed and retrieve data from context
for single policy evaluation from different "directions".  And get a
different answer for a different rule.  Normally you would not want such
behavior, but that's not always about common sense.   I have a working
example of a system where this is not the case - context handler is out
of control of the evaluation and very well may change between individual
rule evaluations (yuck, but true. And efficient)

>I think the situation you mention, within the same PDP during the same
>evaluation is merely an implementation that doesn't violate the
>constraints and is acceptable.

Indeed.  The problem with that was we could not write a policy that
REQUIRES the same expression to be evaluated to the same value within
the single instance of policy evaluation.    With expression references
that can be solved - without imposing unduly requirements on policies
that do not require that.

> Agreed.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]