OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: Using higer-order bag functions with IP & DNS functions

I don't see any problem with defining value equal functions. The only reason I wasn't planning to was because I didn't think matching an exact IP address or DNS name would be useful very often. A policy that says IP must be exactly such and such doesn't seem scalable. And matching for example, the IP of the Subject with the IP of the Resource is not like matching the Subject with Resource owner or matching the Subject's clearance with the Resource classification.

Similarly I can't think of many cases where you would have a bag of say IP values and want to see if a specific one is present. The converse case of wanting to see if a single value matches a bunch of possibilities seems well covered by the use of a wildcard pattern.

I will go ahead and add ipAddress-value-equal and dnsName-value-equal functions.

BTW, do you have usecases in mind of are you just looking for regularity?

Hal

> -----Original Message-----
> From: Steven Legg [mailto:steven.legg@viewds.com]
> Sent: Thursday, November 14, 2013 4:52 PM
> To: Hal Lockhart; xacml@lists.oasis-open.org
> Subject: Re: Using higer-order bag functions with IP & DNS functions
> 
> 
> Hi Hal,
> 
> On 15/11/2013 7:18 AM, Hal Lockhart wrote:
> > Steven,
> >
> > After a quick look at Section A.3.12 it looks to me that the
> functions I have in mind would work fine with all the higher order bag
> functions. The text merely says the "worker" function invoked by the
> hobf must be a " ... Boolean function that takes n arguments of
> primitive types." The functions I am proposing are Boolean functions of
> two arguments of IP of DNS types.
> >
> > For example in abbreviated form, I am proposing:
> >
> > IPmatch( IPpattern, IPvalue ) I believe this would allow:
> >
> > Any-of( IPmatch(), IPpattern, bag-of-IP-values )
> >
> > Or as in the examples in A.3.12:
> >
> > Any-of( IPmatch(), IPpattern, IP-bag( IPval1, IPval2, IPval3))
> >
> > Does that make sense or am I missing something?
> 
> I was talking about functions in the two preceding sections,
> specifically:
> type-is-in, type-intersection, type-at-least-one-member-of, type-union,
> type-subset and type-set-equals. These functions directly or indirectly
> depend on a type-equal function. The ipAddress and dnsName data-types
> are the odd ones out in the core specification because they don't have
> these
> type-* functions.
> 
> The type-is-in, type-at-least-one-member-of, type-subset and type-set-
> equals functions can be simulated with higher-order bag functions or
> quantified expressions, but not as compactly. The type-intersection
> function can only be approximated (duplicates would be retained). There
> is no substitute for the type-union function.
> 
> Regards,
> Steven
> 
> >
> > Hal
> >
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]