Re: [xacml] Inputs to rfc822Name-match

[Polar Humenn <polar@syr.edu>]

Doesn't RFC822 have all sort of bizzare stuff in it, like

{george,john,paul,ringo}@beatles.com

-Polar

On Thu, 13 May 2004, Bill Parducci wrote:

> perhaps we could create a 'mask' that would the name to conform, but provide for
> a range of values to match? (ala IP masking)
>
> in other words the resource could be 'foo@bar.com' with a mask of '@bar.com' and
> any request of type rfc822 containing the domain '@bar.com' would result in a
> match. it is kind of a long way around to do the same thing i think tim is
> asking for but it leaves the rfc822 names valid and extends by allowing the
> [soon to be omnipotent ;o] context handler to match a range via an *extension*
> of the rfc822 names.
>
> i dunno, just thinking out of the box. (i definitely think there is a valid use
> case for this).
>
> b
>
> Tim Moses wrote:
> > Seth - I am picturing a situation like this ...
> >
> > A policy is written to apply to the resource "email addresses".  In this
> > case, the target would contain a resource match with the attribute
> > designator "resource-id", of type "string" and value "*".
> >
> > A context request is received containing the resource attribute
> > "resource-id", of type "RFC 822 name" and the value "anderson@sun.com".
> >
> > How can the PDP tell that the policy is applicable?  The resource-ids match,
> > the data types don't match and "*" isn't obviously an email address.
> >
> > So, always making the general form the same type as the specific form would
> > assist matching.  This happens naturally for X.500 names and (I hope) the
> > other name forms.
> >
> > All the best.  Tim.
> >
> > -----Original Message-----
> > From: Seth.Proctor@Sun.COM [mailto:Seth.Proctor@Sun.COM]
> > Sent: Thursday, May 13, 2004 1:11 AM
> > To: Tim Moses
> > Cc: 'XACML'
> > Subject: Re: [xacml] Inputs to rfc822Name-match
> >
> >
> >
> > Tim Moses wrote:
> >
> >>Anne - I know you are right.  But, WE define
> >>urn:oasis:names:tc:xacml:2.0:data-type:rfc822Name.  So, if we want "*"
> >>to be a valid instance of this type, then it can be.  Can't it?
> >
> >
> > It could be, but why would we want this? I can't think of any reason why
> > we'd want someone able to specify * or .com or something similar as a
> > valid email address (since that breaks with rfc822, which is what we
> > reference for the datatype). Technically, we specify the datatype's
> > identifier, but not the format of the datatype, so we don't actually
> > have the freedom to re-define the type unless we define it from scratch.
> >
> > Tim, do you have a specific use case that requires this? I'm trying
> > hard, but I can't come up with a scenario where you need to pass two
> > rfc822Names to the match function and can't instead provide a string as
> > one parameter. Unless there's a real problem this solves, I wouldn't
> > want us to confuse the rfc822Name datatype.
> >
> >
> > seth
> >
> > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.
>
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.
>