[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: New Issue: need to resolve ambiguities in combining algorithms wrtObligations/Advice
To TC: This issue may have been raised before in some context, however, afaik, there has been no attempt to address it yet, however, imo, it should be addressed in some form or other to enable developers to implement the algorithms in a deterministic manner. The issue can be seen w deny-overrides. For example,
if there are 10 permit rules, then you can get back 10 sets of obligations, but if you also have 10 deny rules you can get back only one of the 10 sets of deny obligations. I believe Erik has also called attention to this issue in WD-20: lines 5346-5347: "The decisions may be processed in any order, so the set of obligations provided by this algorithm is not deterministic."w similar statements preceding other algorithms. Same should apply to Advice. The ref in Implementor's Guide missed this issue, and explicitly said that Obligations do not impact their analysis, but they actually do as described above. Ninghui Li, etal, “A Formal Language for Specifying Policy Combining Algorithms in Access Control”. https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2008-9-report.pdfThanks, Rich |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]