OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] Re: Section 7.2 Base policy (was A single tree?)


On Thu, 2004-04-15 at 10:01, Polar Humenn wrote:
> So you are not talking about a "retrieval step", but you are talking about
> a decision procedure of "deciding on a single policy", which is sort of
> the same thing.

Abstractly, the PDP always starts by figuring out what to use in
evaluation. This is a truism.

> > Speaking from experience, I can say two things with certainty:
> >
> >   1. This text is useful for implementors. I spent a lot of time
> >      thinking about how my code would react to the arrival of a
> >      decision request. After re-reading the spec many times I
> >      built something that provides a lot of flexibility but still
> >      requires there to ultimately be a single root policy (phyiscally
> >      or logically) for any given request. Clear text spelling this out
> >      will help others to figure this out.
> 
> And that is your particular implementation. It may not be mine, and it may
> not be somebody else's.

Polar, I don't care what you've built. I'm providing real-word
experience. I'm not telling anyone else how to build a PDP. I am telling
you that this text is useful for implementors. That's it.

> >   2. I get a lot of questions from users about this issue. They want to
> >      understand exactly what the rules are around root policies. Anne's
> >      text makes it clear what's in scope, and what XACML doesn't define.
> >      I believe this will help considerably.
> 
> I have no problem with an "implementers guide", as long as it is a "guide"
> with suggestions, not mandates. If you want to build it this way, you do
> A, B, C, and D. etc.  If you want to build it this other way, you do, A,
> B, D, E and F. It's all non-normative.

Did I say anything about mandates for implementors? No. In fact, I
explicitly stated in several places that there was only one mandate that
I supported, and that's what you say you support (at the end of this
mail). I'm also explicit here that I like what this text says about
things being out of scope.

> > In short, I don't believe the proposed text for 7.2 defines how you find
> > a policy, how you construct a "base" policy, or how a PDP handles the
> > policies it can use. The proposed text only specifies that logically
> > evaluation is of the form one Request and one Policy[Set],
> 
> I have no problem with that definition up to this point.
> 
> > and that trying to do otherwise is an error.
> 
> and there I loose you, somewhat. It depends on what you mean by error. If
> you mean I have to deny, then I really loose you.

Why would I mean Deny when I say Error? The spec equates Indeterminate
with Error.

> > I belive this is what's already expressed in the specification, but that
> > the new language helps clarify this point, and will be helpful for
> > implementors and users alike.
> 
> The spec is right to say that an XACML evaluation is defined between ONE
> Policy[Set] and ONE Request. Nothing else need be said.

That's your opinion. It is the opinion of several others that some
simple clarifying text is useful.

> >
> > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.
> >
-- 
Seth Proctor <Seth.Proctor@Sun.COM>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]