[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Groups - XACML v3.0 administration policy, Working draft02, 8 April 2005 (access_control-xacml-3.0-admininstration-wd-02.zip) uploaded
Everyone, I have read this now and I have a couple of comments. First, in section 3, lines 90-91: I still really think that XACML should allow constraining the PolicyIssuerMatch element. :-) As the proposal is currently, this is the only feature missing for me to be able to implement everything we need here in Sweden. In the processing model, section 5, in multiple places there are references to "the indicated combining algorithm". Where is this indicated? Step 6: It says ".. then discard the pool". Should this be "... then discard the policy"? Also, strictly speaking the "increment the delegation depth variable" statement is probably misplaced. Perhaps it should be made a separate "step 8b", since steps 6-8 perform computations on each policy. Just to make it clear that the delegation depth variable should be incremented only once. Step 9: It should be clear that the separation of policies into pools must not mix policies derived from different lower level pools. Step 10: Again, where is the "indicated" policy combining algorithm defined? Also, when it comes to combining the results within pools, (with the "indicated" combining algorithm), I am not sure whether any other algorithm except permit-overrides makes sense. And in the case of permit-overrides, you really don't need to keep anything but the policy issuer in the pool, since it is the only thing that matter. Permit-overrides also makes it possible to optimize a little bit by only looking for any policy, not all policies, which support a pool. Best regards, Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]