OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: Combining algorithm combining orders



On Fri, 26 Sep 2008 , at 11:52 PM, Erik Rissanen wrote:

> Notice how the result depends on what the indeterminate could
> potentially be. However the current definition gives a definite  
> Deny in
> all cases. This breaks the error propagation safety of the combining
> algorithm.

Error propagation safety???    Error should not be propagated if that  
can be avoided.   The whole point of Indeterminate value is that it  
can be explicitly handled by a combining algorithm, and error  
propagation avoided whenever possible.    Just throwing an exception  
all the way to the client is what we have tried to avoid.

In all the examples result would be Deny if no error had occurred.    
There is no reason to propagate errors (and to give a would be  
attacker any hints that some sort of disruption actually worked) when  
there is a clear decision.    It is somewhat different on the rule  
combining level, as it does not return the result to the PEP, so it  
is ultimately handled on the policy combining level.

I think we have designed it this way on purpose.   I do not think it  
is a mistake.

Daniel;



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]