Re: Delegation and on-permit-apply-second

[Steven Legg <steven.legg@viewds.com>]

Hi Erik,

I neglected the fact that the administration profile uses "policy" to mean
policy or policy set. Using the same convention, this is what I should have
said:

The fact that the on-permit-apply-second combining rule restricts the
number of child policies to two means that both child policies must
be trusted policies (there is no room for authorizing administrative
policies). This will have implications for access control on the policies
themselves, which will vary between PAP implementations.

A delegation-friendly change would be to restrict a policy set using
the on-permit-apply-second combining rule to exactly two *access* policies
with no limit on the number of administrative policies. The combining
algorithm would test the first access policy (which may need to be
authorized by an administrative policy) before deciding to evaluate
the second access policy (which may also need to be authorized).

I have previously argued on the comment list that labelling each policy
as an access policy or administrative policy would improve the delegation
profile and resolve a number of issues surrounding category prefixing.
Such labelling would make it easy for the on-permit-apply-second
combining rule to tell the difference between access policies and
administrative policies.

Regards,
Steven