[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Inputs to rfc822Name-match
Doesn't RFC822 have all sort of bizzare stuff in it, like {george,john,paul,ringo}@beatles.com -Polar On Thu, 13 May 2004, Bill Parducci wrote: > perhaps we could create a 'mask' that would the name to conform, but provide for > a range of values to match? (ala IP masking) > > in other words the resource could be 'foo@bar.com' with a mask of '@bar.com' and > any request of type rfc822 containing the domain '@bar.com' would result in a > match. it is kind of a long way around to do the same thing i think tim is > asking for but it leaves the rfc822 names valid and extends by allowing the > [soon to be omnipotent ;o] context handler to match a range via an *extension* > of the rfc822 names. > > i dunno, just thinking out of the box. (i definitely think there is a valid use > case for this). > > b > > Tim Moses wrote: > > Seth - I am picturing a situation like this ... > > > > A policy is written to apply to the resource "email addresses". In this > > case, the target would contain a resource match with the attribute > > designator "resource-id", of type "string" and value "*". > > > > A context request is received containing the resource attribute > > "resource-id", of type "RFC 822 name" and the value "anderson@sun.com". > > > > How can the PDP tell that the policy is applicable? The resource-ids match, > > the data types don't match and "*" isn't obviously an email address. > > > > So, always making the general form the same type as the specific form would > > assist matching. This happens naturally for X.500 names and (I hope) the > > other name forms. > > > > All the best. Tim. > > > > -----Original Message----- > > From: Seth.Proctor@Sun.COM [mailto:Seth.Proctor@Sun.COM] > > Sent: Thursday, May 13, 2004 1:11 AM > > To: Tim Moses > > Cc: 'XACML' > > Subject: Re: [xacml] Inputs to rfc822Name-match > > > > > > > > Tim Moses wrote: > > > >>Anne - I know you are right. But, WE define > >>urn:oasis:names:tc:xacml:2.0:data-type:rfc822Name. So, if we want "*" > >>to be a valid instance of this type, then it can be. Can't it? > > > > > > It could be, but why would we want this? I can't think of any reason why > > we'd want someone able to specify * or .com or something similar as a > > valid email address (since that breaks with rfc822, which is what we > > reference for the datatype). Technically, we specify the datatype's > > identifier, but not the format of the datatype, so we don't actually > > have the freedom to re-define the type unless we define it from scratch. > > > > Tim, do you have a specific use case that requires this? I'm trying > > hard, but I can't come up with a scenario where you need to pass two > > rfc822Names to the match function and can't instead provide a string as > > one parameter. Unless there's a real problem this solves, I wouldn't > > want us to confuse the rfc822Name datatype. > > > > > > seth > > > > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php. > > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php. >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]