[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] New Issue#83: CORE ERRATA: error in 7.15.3 Missingattributes
I concur with both of these. Anne Erik Rissanen wrote: > I am correcting this in 3.0 and the errata. I changed it to "may result" > since it is not certain the end result will be indeterminate. There > could be another policy which works and is selected by the policy > combining algorithm. I also added "if the designator or selector has the > MustBePresent XML attribute set to true", to not confuse with empty bags. > > While looking into this I think I have found another minor error. In > section 5.42 it says: > > --- > > If the node selected by the specified XPath expression is not one of > those listed above (i.e. a text node, an attribute node, a processing > instruction node or a comment node), then the result of the enclosing > */policy/* SHALL be "Indeterminate" with a StatusCode value of > "urn:oasis:names:tc:xacml:1.0:status:syntax-error". > > --- > > I think this is incorrect. It should be that the value of the attribute > selector element is indeterminate, not the enclosing policy. The value > of the policy (or rule actually) would depend on the combining > algorithm, which could find another policy which it prefers. > > Do you agree with me? > > Regards, > Erik > > > Anne Anderson - Sun Microsystems wrote: > >>Section 7.15.3 says that the absence of matching attributes referenced >>"in the policy" "SHALL result" in a decision of "Indeterminate". This >>is INCORRECT. Unless an AttributeDesignator or AttributeSelector >>contains the "MustBePresent" XML attribute, it will evaluate to an >>empty bag if its referenced Attribute is not present in the Request >>Context. An empty bag does not necessarily result in "Indeterminate" - >>you have to look at the definition and use context of each XACML >>function to determine how it deals with an empty bag. For some >>functions, such as "type-bag-size", "type-is-in", "type-intersection", >>an empty bag is a normal input to the function. Also, in the Target >>element MatchId functions, an empty bag parameter results in >>"NotApplicable" rather than "Indeterminate". >> >>I stumbled across this in checking a claim by one of the interop >>participants that "the definition of Indeterminate seems to be >>ambiguous". >> >>Regards, >>Anne > > -- Anne H. Anderson, Sun Microsystems Laboratories 1 Network Drive,UBUR02-311, Burlington, MA 01803-0902 USA Tel: 781/442-0928 Fax: 781/442-1692 Email: Anne.Anderson@Sun.COM until mid-August 2007 Email: Anne.Anderson@alum.swarthmore.edu after mid-August 2007
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]