OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Using higer-order bag functions with IP & DNS functions

Hi Hal,

On 15/11/2013 7:18 AM, Hal Lockhart wrote:

After a quick look at Section A.3.12 it looks to me that the functions I have in mind would work fine with all the higher order bag functions. The text merely says the "worker" function invoked by the hobf must be a " ... Boolean function that takes n arguments of primitive types." The functions I am proposing are Boolean functions of two arguments of IP of DNS types.

For example in abbreviated form, I am proposing:

IPmatch( IPpattern, IPvalue ) I believe this would allow:

Any-of( IPmatch(), IPpattern, bag-of-IP-values )

Or as in the examples in A.3.12:

Any-of( IPmatch(), IPpattern, IP-bag( IPval1, IPval2, IPval3))

Does that make sense or am I missing something?

I was talking about functions in the two preceding sections, specifically:
type-is-in, type-intersection, type-at-least-one-member-of, type-union,
type-subset and type-set-equals. These functions directly or indirectly
depend on a type-equal function. The ipAddress and dnsName data-types are
the odd ones out in the core specification because they don't have these
type-* functions.

The type-is-in, type-at-least-one-member-of, type-subset and type-set-equals
functions can be simulated with higher-order bag functions or quantified
expressions, but not as compactly. The type-intersection function can only be
approximated (duplicates would be retained). There is no substitute for the
type-union function.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]