OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Multiple obligations

Hi Ray/TC,

I agree, I don't like it either, which is why I wanted to state it 
explicitly so
we all know what the current behavior implies, at least based on my
reading of the text to date.

My statement was that is how I understand the current operation
to be, although it is not clearly and unambiguously stated in the text.

However, I am not sure what other option might be inferred from the
text, although your suggestion sounds like a reasonable alternative, if
we were to explicitly state it that way.

In any event, once the current behavior is clarified, then whatever
it is can be considered the default option, and for 3.0, at least, if devs
want to offer other options then they can be custom w combiner
parameters, which is what would be explained in the implementers/
policy designers guide - explained so designers would know what to
look for and devs would know what to implement.


On 6/6/2011 5:27 AM, remon.sinnema@emc.com wrote:
> All,
>> -----Original Message-----
>> From: rich levinson [mailto:rich.levinson@oracle.com]
>> Sent: Friday, June 03, 2011 12:52 AM
>> To: xacml
>> Subject: [xacml] Minutes for 2 June 2011 TC Meeting
> [...]
>>     Obligations/Advice combining ambiguities. (dependent on final
>>      version of combining algorithms)
>>      http://lists.oasis-open.org/archives/xacml/201105/msg00094.html
>>       rich: working assumption is that in deny-overrides that if there
>> 	are multiple permit rules then all the applicable permits
>> 	add their obligations to the response if decision is permit,
>> 	as opposed to the deny decision, where only one rule's obls
>> 	are returned.
> I'm not sure I like this. First of all, this means there is an asymmetry between the permit and deny cases, as noted on the call. Secondly, this assumption rules out the following performance improvement: For deny-overrides, once an applicable permit rule has been found, other permit rules don't need to be evaluated, since they can never change the decision.
> Thanks,
> Ray

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]