OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] Updated working drafts posted

 

> -----Original Message-----
> From: bill parducci [mailto:bill@parducci.net] 
> Sent: Wednesday, December 16, 2009 09:59
> To: Tyson, Paul H
> Cc: Erik Rissanen; xacml
> Subject: Re: [xacml] Updated working drafts posted
> 
> 
> It seems counterintuitive that Obligations would effectively 
> be dropped as this would be in variance with what the Author 
> intended when writing the Policy. If we are going to punt on 
> Obligation combination (I agree that it is a monstrous 
> issue), then I suggest that Policies with Obligations not be 
> combinable based on the assumption that the only entity that 
> knows "if Obligations are important" is the Author (and I 
> believe that Obligations are normative as of v3).
> 

Now that you mention "author's intent", it is apparent that the general
decision-combining mechanism that we have proposed is a blatant
violation.  It allows a PEP to obtain a unitary decision of its own
choosing over a collection of arbitrary requests, regardless of the
policy author's intent for each of those requests individually.

We should eliminate the decision-combining-algorithm functionality.  A
PEP may request a unitary decision, but it should be controlled by the
specification as follows:
	"NotApplicable" if any decision in "NotApplicable"
	"Permit" only if all decisions are "Permit"
	"Deny" only if all decisions are "Deny"
	"Indeterminate" otherwise

Unless the policy author and the PEP developer have agreed on some
special behavior, it will not, in general, be safe to short-circuit the
evaluation of multiple requests and return "Deny" on the first "Deny" or
"Permit" on the first "Permit".  The specification should prevent the
PDP from issuing any decision that is not explicitly foreseen and
allowed by the policy author.

Even so, we should still specify that a combined-decision should be
"Indeterminate" when any decision has Obligation or Advice attached.
Obligations and Advice differ only in their normative effect on the PEP.
The policy author expects them both to be attached to the decision
issued by the PDP.  If the PDP can't do this for a combined decision, it
should return "Indeterminate" because the author's intent cannot be
fulfilled.

--Paul

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]