OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: PolicySetIdReference Questions

(reposting – forgot to reply to list)


Two or more policysets should never have the same policysetid and version values.  The identity of a policy revision is policy(set)id + version.


The version attributes given in PolicySetIdReference are regular expressions, so it is quite possible that two or more policysets with the same policy id but *different version values* may match the PolicySetIdReference version match _expression_(s).


The XACML 3.0 spec doesn’t define how version values should be compared or ordered. We ran into this in the REST api for policy access discussion a while ago.


I read “SHOULD” to mean that a PDP is not required to implement the behavior in order to be considered XACML 3.0 compliant.


Returning the most recent version when multiple versions of a policy match the version match _expression_ is common sense but not strictly required or defined by the standard.  Since it’s not defined by the standard, one cannot infer anything about how a particular compliant PDP will behave with regards to the 4 questions you posed.


From a practicality standpoint it’s very likely that a particular implementation will select consistently, and even that it will select the most recent version, since any other implementation of PolicySetIdReference would be pretty useless (IMO).


It seems to me that this area of the spec could be tightened up considerably, as I can’t imagine a use case where PolicySetIdReference would not select the most recent revision that meets the version pattern match requirements.




Danny Thorpe

Authorization Architect

Dell | Identity & Access Management, Quest Software


Quest Software is now part of Dell.


From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Hill, Richard C
Sent: Friday, December 07, 2012 12:52 PM
To: 'xacml@lists.oasis-open.org'
Subject: [xacml] PolicySetIdReference Questions


During a collaboration session with the TCG IF-MAP working group a question regarding the language in the XACML core specification came up that I was unable to answer and agreed to bring to the XACML TC for clarification.


In section 5.10 Element <PolicySetIdReference> of the xacml-3.0-core-spec-en;  starting at line 1973 "In the case that more than one matching version can be obtained, then the most recent one SHOULD be used."


In the case where there are two or more PolicySets that have the same PolicySetId value and the same version value:


1.) Can it be guaranteed that the “most recent” will always be selected?

2.) How is the “most recent” selected (e.g. by date-time, largest Version value, etc)?

3.) Does “SHOULD” (RFC2119) mean that the PEP cannot assume that the “most recent” will be selected?

4.) Can the PEP assume that the PDP will at least select consistently, changing its selection when a version of the Policy/PolicySet is added or removed?


In the case where there are two or more PolicySets that have the same PolicySetId value but different version values how would these questions (1 – 4 above) be answered?




- Richard

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]