OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] Inputs to rfc822Name-match


perhaps we could create a 'mask' that would the name to conform, but provide for 
a range of values to match? (ala IP masking)

in other words the resource could be 'foo@bar.com' with a mask of '@bar.com' and 
any request of type rfc822 containing the domain '@bar.com' would result in a 
match. it is kind of a long way around to do the same thing i think tim is 
asking for but it leaves the rfc822 names valid and extends by allowing the 
[soon to be omnipotent ;o] context handler to match a range via an *extension* 
of the rfc822 names.

i dunno, just thinking out of the box. (i definitely think there is a valid use 
case for this).

b

Tim Moses wrote:
> Seth - I am picturing a situation like this ...
> 
> A policy is written to apply to the resource "email addresses".  In this
> case, the target would contain a resource match with the attribute
> designator "resource-id", of type "string" and value "*".
> 
> A context request is received containing the resource attribute
> "resource-id", of type "RFC 822 name" and the value "anderson@sun.com".
> 
> How can the PDP tell that the policy is applicable?  The resource-ids match,
> the data types don't match and "*" isn't obviously an email address.
> 
> So, always making the general form the same type as the specific form would
> assist matching.  This happens naturally for X.500 names and (I hope) the
> other name forms.
> 
> All the best.  Tim.
> 
> -----Original Message-----
> From: Seth.Proctor@Sun.COM [mailto:Seth.Proctor@Sun.COM] 
> Sent: Thursday, May 13, 2004 1:11 AM
> To: Tim Moses
> Cc: 'XACML'
> Subject: Re: [xacml] Inputs to rfc822Name-match
> 
> 
> 
> Tim Moses wrote:
> 
>>Anne - I know you are right.  But, WE define 
>>urn:oasis:names:tc:xacml:2.0:data-type:rfc822Name.  So, if we want "*" 
>>to be a valid instance of this type, then it can be.  Can't it?
> 
> 
> It could be, but why would we want this? I can't think of any reason why 
> we'd want someone able to specify * or .com or something similar as a 
> valid email address (since that breaks with rfc822, which is what we 
> reference for the datatype). Technically, we specify the datatype's 
> identifier, but not the format of the datatype, so we don't actually 
> have the freedom to re-define the type unless we define it from scratch.
> 
> Tim, do you have a specific use case that requires this? I'm trying 
> hard, but I can't come up with a scenario where you need to pass two 
> rfc822Names to the match function and can't instead provide a string as 
> one parameter. Unless there's a real problem this solves, I wouldn't 
> want us to confuse the rfc822Name datatype.
> 
> 
> seth
> 
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]