Groups - XACML Implementor's Guide Version 3.0 (xacml-implement-guide-3.0-02-05.doc) uploaded

[rich.levinson@oracle.com]

This revision does not incorporate planned changes beyond wd-20, which will
impact some of the combining alg discussion. Also, change bars not included
because of some distracting problems, but can be available on request.

This revision does add explanatory discussion about the referenced paper,
which may prove useful background, in general, to the changes that have
been made to the combining algorithms in 3.0. It also explains what appears
to have been a flaw in the reasoning of the authors of the reference,
regarding the "6-valued approach", which is the approach used in 3.0, and
appears at present to be correct.

In particular, the fundamental change is to remove the 2.0
self-contradiction about Ind, which was, for example in deny-overrides that
D > Ind > P > Ind > NA at the Rule level, but that was lost at the Policy
level, which resulted in scenarios where a Permit could be overridden by a
Policy that could only return a Permit but was indeterminate, resulting in
the return of a Deny, despite the fact that there was no possible way for
Deny to be returned.

The new section 2.1.1.1 explains the problems in the reference, and it
explains w more clarity what the core model is for "combining".

 -- Rich Levinson

The document revision named XACML Implementor's Guide Version 3.0
(xacml-implement-guide-3.0-02-05.doc) has been submitted by Rich Levinson
to the OASIS eXtensible Access Control Markup Language (XACML) TC document
repository.  This document is revision #1 of
xacml-implement-guide-3.0-01-02.doc.

Document Description:
This is a first draft to re-establish the long-discussed Implementor's
Guide, which was started early in the history of the TC:
http://www.oasis-open.org/committees/xacml/repository/xacml-implement-guide-1.1.doc,
but has not had attention directly paid to it in several years.

The reason for resurrecting it now is to explain the situation with the
combining algorithms that has been discussed recently in the TC. The issues
are subtle (and the doc has a ref in it that points to other efforts that
have been made to address this issue, which I just "discovered",
so it gives us a reference point for further exploration).

However, the description currently in the document is intended to fully
explain the issue to implementors and users alike, and should be useful for
fielding future questions about these algorithms as well as providing a
platform for addressing additional aspects of the issue plus addressing
other issues as well as the need and motivation to resolve arises.

At this point, the suggestion is to maintain the document in the manner of
the original, and, as such it is written using the original as the basis
and change bars are wrt original.

View Document Details:
http://www.oasis-open.org/committees/document.php?document_id=42358

Download Document:  
http://www.oasis-open.org/committees/download.php/42358/xacml-implement-guide-3.0-02-05.doc

Revision:
This document is revision #1 of xacml-implement-guide-3.0-01-02.doc.  The
document details page referenced above will show the complete revision
history.


PLEASE NOTE:  If the above links do not work for you, your email application
may be breaking the link into two pieces.  You may be able to copy and paste
the entire link address into the address field of your web browser.

-OASIS Open Administration