OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] x500

Hi Bill

the first problem I have is with the wording terminal sequence. 
Terminal sequence of an X.500 DN, from an X.500 perspective, is the leaf 
end of the DIT. In X.500 DNs are written as strings in little-endien 
order, ie. they typically start with C= and typically end with CN=. LDAP 
then reversed this in its string format of RDNs, to be conformant with 
DNS big-endian name forms. So if you make the statement "terminal 
sequence of RDNs" it is ambiguous, do you mean the X.500 terminal 
sequence or the LDAP terminal sequence? I would therefore propose that 
the text is reworded to specify the semantics of what is intended rather 
than relying on the syntax of the particular strings. Semantically what 
is intended is that the two specified DIT subtrees match. So my 
rewording would be

"it SHALL return “True” if and only if the subtree specified by the 
first argument matches the root of the subtree specified by the second 
argument, when compared using x500Name-equal."

The second problem I have is, what if the first subtree is smaller than 
the second subtree? Do they still match? In all of Bill's examples, the 
first subtree was larger than the second subtree. So what is the result 
of the reverse case e.g.

first argument: dn=alice,ou=xacml, o=oasis
second argument: o=oasis

is this a match or not? If it does match, then the above text is 
sufficient. If it does not, the above text will need supplementing with 
"The first subtree must be larger than or equal to the second subtree".

regards

David


bill parducci wrote:
> ok, i read the x500  thread in comments about 6 times and i think i 
> understand both sides of the discussion. it seems like there is a simple 
> solution to "fix" it:
> 
> original:
> • urn:oasis:names:tc:xacml:1.0:function:x500Name-match 
> This function shall take two arguments of 
> "urn:oasis:names:tc:xacml:2.0:data-type:x500Name" and shall return an 
> "http://www.w3.org/2001/XMLSchema#boolean";.  It shall return “True” if 
> and only if the first argument matches some terminal sequence of RDNs 
> from the second argument when compared using x500Name-equal.  
> 
> proposed change:
> • urn:oasis:names:tc:xacml:1.0:function:x500Name-match 
> This function shall take two arguments of 
> "urn:oasis:names:tc:xacml:2.0:data-type:x500Name" and shall return an 
> "http://www.w3.org/2001/XMLSchema#boolean";.  It SHALL return “True” if 
> and only if the entire first argument matches the terminal sequence of 
> RDNs from the second argument when compared using x500Name-equal. 
> 
> i made the first change to correct the perception that only a portion of 
> the first argument must be matched. using the example in the thread this:
> 
> first argument: ou=hello,o=oasis
> second argument: dn=alice,ou=xacml,o=oasis
> 
> would be false.
> 
> i made the second change to be precise, effectively stating that 
> comparison must start at the last RDN on each string and work backwards. 
> therefore this:
> 
> first argument: dn=alice,ou=xacml
> second argument: dn=alice,ou=xacml,o=oasis
> 
> would be false
> 
> and this:
> 
> first argument: ou=xacml,o=oasis
> second argument: dn=alice,ou=xacml,o=oasis
> 
> would be true.
> 
> despite the plural nature of the text, i think the intent of this 
> function was to allow 1:n RDNs to match. if so, then we should modify this:
> 
> sequence of RDNs
> 
> to say this:
> 
> sequence of one or more RDNs 
> 
> making this true:
> 
> first argument: o=oasis
> second argument: dn=alice,ou=xacml,o=oasis
> 
> if not, then we should clarify and say this:
> 
> sequence of two or more RDNs 
> 
> making this an ERROR:
> 
> first argument: o=oasis
> second argument: dn=alice,ou=xacml,o=oasis
> 
> because you cannot have single RDN for first argument in this definition.
> 
> thoughts?
> 
> b

-- 

Aung San Suu Kyi

Thousands of people including British Prime Minister Gordon Brown, 
Archbishop Desmond Tutu, Vaclav Havel, David Beckham, Daniel Craig, 
Stephen Fry and countless others are calling for the release of Aung San 
Suu Kyi.

Show your support and add your message today
Just go to http://www.64ForSuu.org to add a video, text, image or twitter.

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]