OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Possible issue or editorial cleanup item - missing equalitypredicates, etc.

Hi Rich,

I was referring to this thread:


The minutes of the TC call where we discussed the issue are here:


I'm not sure how to read that, but I recall that we decided to not
introduce these equality functions. And since the set functions are
defined in terms of the equality functions, the set functions are also
undefined. I am pretty sure I pointed out this in the discussion, though
it's not recorded in the minutes. So the spec is right now as the TC has

Best regards,

Rich.Levinson wrote:
> Hi Erik,
> I looked up to find discussion on this and didn't quite get a match,
> although there was a ref in the Nov 6 minutes:
> http://lists.oasis-open.org/archives/xacml/200811/msg00027.html
> possibly related to this exchange on xacml-comment:
> http://lists.oasis-open.org/archives/xacml-comment/200811/msg00001.html
> Those were regarding details. I understand that one might consider
> regexp-match an alternative to <type>-equals, however, what I don't
> understand is why regexp-match is used for all of 4 xacml-defined
> datatypes for identifiers or resources:
>     * dnsName - A.3.13 line 4843 ->
>     * ipAddress - A.3.13 line 4835 ->
>     * rfc822Name - A.3.13 line 4851 ->
>     * x500Name - A.3.13 line 4859 ->
> while for <type>-equals there is only:
>     * rfc822Name - A.3.1 line 3982 ->
>     * x500Name - A.3.1 line 3968 ->
> These 4 datatypes are discussed in section A.2 starting on line 3850.
> There is additional detailed info as ref'd above for rfc822, x500
> under A.3.1 <type>-equals.
> As I look at it some more, it is beginning to appear that the
> comparable detail that is listed in A.2 for ipAddress and dnsName is
> in section A.3.1 for rfc822 and x500 under <type>-equals.
> There is something out of balance here at a cursory look. It would
> seem that either ipAddress and x500Name should also be in section
> A.3.1 or there should be an explanation as to why they are not. As it
> stands now, it looks like an editing error to me - not a serious
> error, but one that causes some confusion. And also, it looks like it
> might have occurred because ipAddress and dnsName were added later,
> which is why I suggested it was likely an oversight.
> Another possibility is that the info in section A.3.1 should be
> removed, put in section A.2 with the others and all of them should use
> regexp-match. i.e. the explanation of how to do rfc822Name-equal and
> x500Name-equal appears to be a stretch for a "-equal" function, esp.
> if the other two are done w regexp-match.
> It's not of earth-shattering importance, I admit, but this is a
> suggestion for the "clean-up" and on the surface, at least, it appears
> to me to be more of a cleanup than a correction of any specific error
> task, except that if the original update was inadvertent, it may
> effectively be introducing an error of imbalance, unless, of course,
> there is a reason, in which case it would be desirable to put the
> reason in section A.2.
>     Thanks,
>     Rich
> Rich.Levinson wrote:
>> Hi Erik,
>> That's fine. It would be useful to dig up the rationale, and possibly
>> put it in the doc somewhere, such as section A.2 where these items
>> are discussed in some detail.
>> Also, my last question was simply if there is any relation between
>> the dns-name of the Subject attribute and the dnsName of the
>> datatype. Same for ip-address. i.e.would it be reasonable to expect
>> that these datatypes would apply to AttributeValues associated with
>> those subject attribute ids? I suppose the answer is obvious - that
>> there could be but doesn't have to be. But I was also wondering what
>> motivated the addition of these datatypes. Possibly it was related to
>> the remark I just noticed on line 5098-99 which preceded the subject
>> attributes:
>>    The following identifiers indicate the location where authentication
>>    credentials were activated.  They are intended to support the
>>    corresponding entities from the SAML authentication statement [SAML].
>> i.e. there was some SAML activity with these, which appears to have
>> raised their visibility to the point where they were late additions
>> to the xacml datatypes.
>>    Thanks,
>>    Rich
>> Erik Rissanen wrote:
>>> Hi Rich,
>>> I think we discussed this some time ago. It's intentional since
>>> there are pattern matching functions instead. And, yes, I also
>>> pointed out that this means that the set functions are not defined
>>> for those data types because of this, but I think this was not seen
>>> as a problem. I don't recall the details of the discussion though,
>>> so I might be mistaken.
>>> I don't understand your last question.
>>> Best regards,
>>> Erik
>>> Rich.Levinson wrote:
>>>> There are no equality predicates in section A.3.1 for the following
>>>> datatypes:
>>>>     * urn:oasis:names:tc:xacml:2.0:data-type:ipAddress
>>>>     * urn:oasis:names:tc:xacml:2.0:data-type:dnsName
>>>>     * urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression
>>>> I don't know if this was intentional, but suspect it was just an
>>>> oversight as these 3 data types were added after XACML 1.1.
>>>> Also, it appears some or all of them may be missing from some
>>>> functions:
>>>>     * intersection
>>>>     * at-least-one-member-of
>>>>     * union
>>>>     * subset
>>>>     * set-equal
>>>> Also, I am curious what, if any, association might or might not be
>>>> intended between the first two above and the Subject identifiers:
>>>>     * urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address
>>>>     * urn:oasis:names:tc:xacml:2.0:data-type:dnsName
>>>>     Thanks,
>>>>     Rich

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]