OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

# xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Re: Policy equivalence [was: The Indeterminate flavorsquestion]

• From: Erik Rissanen <erik@axiomatics.com>
• To: xacml@lists.oasis-open.org
• Date: Thu, 05 May 2011 10:09:00 +0200

```Hi,

(Tried to post this earlier, but there was an outage in the OASIS email
servers it seems.)

Maybe, but it also goes against current concepts in XACML and is not
that easy to define.

- It puts restrictions on combining algorithms. For instance the
permit-unless-deny and deny-unless-permit algorithms would be disallowed.

- I haven't thought it through properly, but I suspect that of the four
possible decisions, we can make only one decision "linear". So, if we
for instance make Indeterminate linear, then NotApplicable cannot be so
because at any given level the conflict between a notapplicable and
indeterminate has to be resolved. If there is a target T1 which causes
Indeterminate and a target T2 which causes NotApplicable, depending on
which one we push down in the equivalent policy, assuming we push down
only one of them, we could get different results since given any single
definition of priority, only one of them can truly become linear. So
linearity probably is not possible to achieve. (If I got this right...)

- The equivalency conditions are not that simple since the order of
expressions in the equivalent policies matter, so we would need to be
expression short circuits, so we must take care to join the pushed down
conditional expressions properly in relation to everything else which
exists or is pushed down. Can probably be done, but not very simple,
which raises the following question:

- What specifically is the proposal on the table and for what benefit?
Is the proposal that we define some transformation in the spec? For what
purpose? Is it that we require certain meta conditions on combining
algorithms so some transformation supposedly holds? Which transformation
is this and what are the conditions on the algorithms?

Best regards,
Erik

On 2011-04-29 09:28, remon.sinnema@emc.com wrote:
>> -----Original Message-----
>> From: Tyson, Paul H [mailto:PTyson@bellhelicopter.textron.com]
>> Sent: Monday, April 25, 2011 3:22 PM
>> To: Erik Rissanen; xacml
>> Subject: RE: [xacml] The Indeterminate flavors question
>>
>> In the longer term the TC should work out a comprehensive logical
>> framework that explicitly either confirms or denies the "policy
>> equivalence" (or "linearity" as Erik called it) between a policy with a
>> non-empty target and the same policy with an empty target and the
>> attribute tests distributed to the descendant conditions (with
>> appropriate syntactic modifications).  Hal has said the TC has avoided
>> previous attempts to define "policy equivalence", but I assume that was
>> in general, not for this specific issue.
> I agree that policy equivalence/linearity makes a lot of sense from the perspective of being able to understand XACML policies.
> It might also enable certain optimizations in implementations.
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that