[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Combining algorithm combining orders
On Fri, 26 Sep 2008 , at 11:52 PM, Erik Rissanen wrote: > Notice how the result depends on what the indeterminate could > potentially be. However the current definition gives a definite > Deny in > all cases. This breaks the error propagation safety of the combining > algorithm. Error propagation safety??? Error should not be propagated if that can be avoided. The whole point of Indeterminate value is that it can be explicitly handled by a combining algorithm, and error propagation avoided whenever possible. Just throwing an exception all the way to the client is what we have tried to avoid. In all the examples result would be Deny if no error had occurred. There is no reason to propagate errors (and to give a would be attacker any hints that some sort of disruption actually worked) when there is a clear decision. It is somewhat different on the rule combining level, as it does not return the result to the PEP, so it is ultimately handled on the policy combining level. I think we have designed it this way on purpose. I do not think it is a mistake. Daniel;
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]