[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Re: Section 7.2 Base policy (was A single tree?)
On Thu, 2004-04-15 at 10:01, Polar Humenn wrote: > So you are not talking about a "retrieval step", but you are talking about > a decision procedure of "deciding on a single policy", which is sort of > the same thing. Abstractly, the PDP always starts by figuring out what to use in evaluation. This is a truism. > > Speaking from experience, I can say two things with certainty: > > > > 1. This text is useful for implementors. I spent a lot of time > > thinking about how my code would react to the arrival of a > > decision request. After re-reading the spec many times I > > built something that provides a lot of flexibility but still > > requires there to ultimately be a single root policy (phyiscally > > or logically) for any given request. Clear text spelling this out > > will help others to figure this out. > > And that is your particular implementation. It may not be mine, and it may > not be somebody else's. Polar, I don't care what you've built. I'm providing real-word experience. I'm not telling anyone else how to build a PDP. I am telling you that this text is useful for implementors. That's it. > > 2. I get a lot of questions from users about this issue. They want to > > understand exactly what the rules are around root policies. Anne's > > text makes it clear what's in scope, and what XACML doesn't define. > > I believe this will help considerably. > > I have no problem with an "implementers guide", as long as it is a "guide" > with suggestions, not mandates. If you want to build it this way, you do > A, B, C, and D. etc. If you want to build it this other way, you do, A, > B, D, E and F. It's all non-normative. Did I say anything about mandates for implementors? No. In fact, I explicitly stated in several places that there was only one mandate that I supported, and that's what you say you support (at the end of this mail). I'm also explicit here that I like what this text says about things being out of scope. > > In short, I don't believe the proposed text for 7.2 defines how you find > > a policy, how you construct a "base" policy, or how a PDP handles the > > policies it can use. The proposed text only specifies that logically > > evaluation is of the form one Request and one Policy[Set], > > I have no problem with that definition up to this point. > > > and that trying to do otherwise is an error. > > and there I loose you, somewhat. It depends on what you mean by error. If > you mean I have to deny, then I really loose you. Why would I mean Deny when I say Error? The spec equates Indeterminate with Error. > > I belive this is what's already expressed in the specification, but that > > the new language helps clarify this point, and will be helpful for > > implementors and users alike. > > The spec is right to say that an XACML evaluation is defined between ONE > Policy[Set] and ONE Request. Nothing else need be said. That's your opinion. It is the opinion of several others that some simple clarifying text is useful. > > > > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php. > > -- Seth Proctor <Seth.Proctor@Sun.COM>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]