[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Concrete Proposal of ConditionReference (#7)
>We didn't state it in the specification? But I guess we are still on the >page on this one, anyway. I hope we did not. Unlike specifics of the functions behaviour (and properties of the expression references for that matter), virtual context is not ours to regulate, I believe. >I thought the reasons we adopted unordered bag functions was because of >the shouldn't rely on getting the answers back in a specific order for a >query evaluation. That is, one PDP may get them back in a different order >than another PDP. I thought it is not only about different PDPs. Nothing explicitly prohibits a single PDP to be distributed and retrieve data from context for single policy evaluation from different "directions". And get a different answer for a different rule. Normally you would not want such behavior, but that's not always about common sense. I have a working example of a system where this is not the case - context handler is out of control of the evaluation and very well may change between individual rule evaluations (yuck, but true. And efficient) >I think the situation you mention, within the same PDP during the same >evaluation is merely an implementation that doesn't violate the >constraints and is acceptable. Indeed. The problem with that was we could not write a policy that REQUIRES the same expression to be evaluated to the same value within the single instance of policy evaluation. With expression references that can be solved - without imposing unduly requirements on policies that do not require that. > Agreed. Same. Daniel.