OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] FW: [xacml-comment] Incomplete definition of the ipAddress-is-inand dnsName-is-in functions

Hi Paul,

For IPv6 the IP address data type encoding is defined by:

http://www.ietf.org/rfc/rfc2732.txt

For IPv4 and the dnsname datatype it's by:

http://www.ietf.org/rfc/rfc2396.txt section 3.2

Neither appear to define equality testing or canonical forms.

The XACML DNSname type also defines a wildcard "*" which further 
complicates matters.

So it's a non-trivial exercise to define them. I would leave them. At 
least for now at this stage in the 3.0 process.

Best regards,
Erik

On 2011-04-07 22:57, Tyson, Paul H wrote:
> My initial thought is that it would be better to define equality
> functions for these types, even if they might not be completely
> determinate.  I'm not familiar with these types so I don't know what
> problems there might be.  But as a policy writer I appreciate having the
> type-is-in functions available.
>
> Regards,
> --Paul
>
> -----Original Message-----
> From: Erik Rissanen [mailto:erik@axiomatics.com]
> Sent: Tuesday, March 29, 2011 03:11
> To: xacml-comment@lists.oasis-open.org
> Subject: Re: [xacml-comment] Incomplete definition of the
> ipAddress-is-in and dnsName-is-in functions
>
> Steven,
>
> Thanks for spotting. I agree, the identifiers should be removed.
>
> Best regards,
> Erik
>
> On 2011-03-29 05:01, Steven Legg wrote:
>> Section 10.2.8 of the XACML 3.0 core specification (CS-01) lists
>> urn:oasis:names:tc:xacml:2.0:function:ipAddress-is-in and
>> urn:oasis:names:tc:xacml:2.0:function:dnsName-is-in as mandatory
>> to implement functions. The type-is-in functions are described in
>> appendix A.3.10 in terms of a corresponding
>> urn:oasis:names:tc:xacml:x.x:function:type-equal function, however
>> the necessary ipAddress-equal and dnsName-equal functions have not
>> been defined.
>>
>> Judging from the archives there is no intention of defining the
>> ipAddress-equal and dnsName-equal functions, in which case the
>> ipAddress-is-in and dnsName-is-in function identifiers should be
>> removed.
>>
>> Regards,
>> Steven
>>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]