OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] New core and multiple resource profile and hierarchical

Hi Daniel,

Not only did I give a concrete use case many emails ago, I also gave a 
structured data representation of the relations in the use case, which 
showed explicitly the distinction between the DAG and forest structures 
as well as its impact on the use case, which effectively would be chaos. 
This example was given in response to a request at the Feb 27 TC meeting.

There was considerable follow-up discussion where I showed how the 
simple example could be applied to other real world business 
applications that could be modeled the same way.

In each example, the forest was necessary to maintain order and control, 
and the dag resulted in random associations between otherwise unrelated 


Daniel Engovatov wrote:
>> What it MUST include however, is the forest model. The reason for 
>> this is that the existing profile gives:
> Several weeks into this discussion, I still have not seen a single 
> concrete use case that warrants this.
>> As the profile stands now, with a choice of general DAG and concrete 
>> URI, I believe many customers will be unknowingly led into an 
>> insecure DAG, when a perfectly reasonable secure forest could be 
>> shown to be a clear alternative, with the extra cost, of course, of 
>> maintaining the membership in the original hierarchies, which is 
>> necessary to generalize the URI scheme.
> I still have not seen a single compelling  example why DAG is 
> "insecure" in any form.  Applicable policy is entirely explicit, and 
> easy to analyze.
> Daniel;

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]