[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Combining algorithms
All, We still have the combining algorithms issue to consider. I have written some text to consider and tried to organize the decisions we need to make. First, do we want to fix the current deny/permit policy algorithms at all? I think we should since it is not good that the basic algorithms are biased. It can lead to strange effects in policies, like a policy can return Deny although there is no rule with Effect="Deny" in it. Assuming that we do want to fix the basic combining algorithms so that they are not biased, then there are two orthogonal decisions for us to make: 1. Do we want to define biased algorithms as well, or do we rely on the PEP bias alone? 2. Do we want to make use of an extended Indeterminate to allow more fine grained treatment of errors in the combining algorithms? See the attached documents for what the different algorithms look like. comb-algs.doc contains combining algorithms which makes the basic algorithms unbiased and introduces separate biased algorithms. The word diff is against the current 3.0 working draft 7. comb-algs-extended.doc shows algorithms which make use of an extended indeterminate. The diff is against the unbiased algorithms in comb-algs.doc. I have not "ported" the other algorithms to the extended Indeterminate yet or written biased variants. Also note that under the extended indeterminate the rule and policy combining algorithms become the same, so I joined up their descriptions. My preference is that - The basic combining algorithms are made unbiased. (I feel strongly about this, the rest I care less about.) - We do not introduce biased alternatives. (I am happy with the PEP bias.) - We do not introduce an extended indeterminate. (I think it complicates matters for fairly little value.) Best regards, Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]