OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: New Issue: need to resolve ambiguities in combining algorithms wrtObligations/Advice

To TC:

This issue may have been raised before in some context, however, afaik, there has been
no attempt to address it yet, however, imo, it should be addressed in some form or other
to enable developers to implement the algorithms in a deterministic manner.

The issue can be seen w deny-overrides. For example,
  • consider a deny-overrides Policy with 2 Permit and 2 Deny Rules (R1d,R2d,R3p,R4p)
    • assume each Rule has a unique set of Obligations (O1d,O2d,O3p,O4p)
    • a Deny is encountered (assuming order of rule specified above), then the Obligation
      set, O1d, will be returned.?
    • however, if no Deny is encountered then both R3p and R4p will be evaluated and
      presumably both O3p,O4p will be returned.?
  • First question: is the analyis correct so far, or have I missed something in spec that
    says what happens in the to cases above?
  • Second point: given the above logic, if we now consider that, in deny-overrides (unordered),
    in some cases R1d will cause Deny w O1d returned, in other cases R2d will cause Deny w O2d
    returned.
The net effect is that based on the above logic for deny-overrides we have an asymmetry where
if there are 10 permit rules, then you can get back 10 sets of obligations, but if you also have 10
deny rules you can get back only one of the 10 sets of deny obligations.

I believe Erik has also called attention to this issue in WD-20: lines 5346-5347:
"The decisions may be processed in any order, so the set of obligations provided by this algorithm is not deterministic."
w similar statements preceding other algorithms.

Same should apply to Advice.

The ref in Implementor's Guide missed this issue, and explicitly said that Obligations do not impact their
analysis, but they actually do as described above.
Ninghui Li, etal, “A Formal Language for Specifying Policy Combining Algorithms in Access Control”. https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2008-9-report.pdf
    Thanks,
    Rich

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]