Re: Using higer-order bag functions with IP & DNS functions

[Steven Legg <steven.legg@viewds.com>]

Hi Hal,

On 15/11/2013 9:28 AM, Hal Lockhart wrote:
> I don't see any problem with defining value equal functions. The only reason I wasn't planning to was because I didn't think matching an exact IP address or DNS name would be useful very often. A policy that says IP must be exactly such and such doesn't seem scalable. And matching for example, the IP of the Subject with the IP of the Resource is not like matching the Subject with Resource owner or matching the Subject's clearance with the Resource classification.
>
> Similarly I can't think of many cases where you would have a bag of say IP values and want to see if a specific one is present. The converse case of wanting to see if a single value matches a bunch of possibilities seems well covered by the use of a wildcard pattern.
>
> I will go ahead and add ipAddress-value-equal and dnsName-value-equal functions.
>
> BTW, do you have usecases in mind of are you just looking for regularity?

I was just noting the irregularity. I don't have any specific use cases in mind.
If no one would find the extra functions useful, then you needn't define them.

The union functions might be a special case since they are the only way we have
to combine bags of values, which is sometimes convenient, though bag merging
functions that did not care about duplicates (and therefore wouldn't need a
type-equal function) would likely be just as useful.

Regards,
Steven

> Hal
>
> > -----Original Message-----
> > From: Steven Legg [mailto:steven.legg@viewds.com]
> > Sent: Thursday, November 14, 2013 4:52 PM
> > To: Hal Lockhart; xacml@lists.oasis-open.org
> > Subject: Re: Using higer-order bag functions with IP & DNS functions
> >
> >
> > Hi Hal,
> >
> > On 15/11/2013 7:18 AM, Hal Lockhart wrote:
> > > Steven,
> > >
> > > After a quick look at Section A.3.12 it looks to me that the
> > functions I have in mind would work fine with all the higher order bag
> > functions. The text merely says the "worker" function invoked by the
> > hobf must be a " ... Boolean function that takes n arguments of
> > primitive types." The functions I am proposing are Boolean functions of
> > two arguments of IP of DNS types.
> > > For example in abbreviated form, I am proposing:
> > >
> > > IPmatch( IPpattern, IPvalue ) I believe this would allow:
> > >
> > > Any-of( IPmatch(), IPpattern, bag-of-IP-values )
> > >
> > > Or as in the examples in A.3.12:
> > >
> > > Any-of( IPmatch(), IPpattern, IP-bag( IPval1, IPval2, IPval3))
> > >
> > > Does that make sense or am I missing something?
> >
> > I was talking about functions in the two preceding sections,
> > specifically:
> > type-is-in, type-intersection, type-at-least-one-member-of, type-union,
> > type-subset and type-set-equals. These functions directly or indirectly
> > depend on a type-equal function. The ipAddress and dnsName data-types
> > are the odd ones out in the core specification because they don't have
> > these
> > type-* functions.
> >
> > The type-is-in, type-at-least-one-member-of, type-subset and type-set-
> > equals functions can be simulated with higher-order bag functions or
> > quantified expressions, but not as compactly. The type-intersection
> > function can only be approximated (duplicates would be retained). There
> > is no substitute for the type-union function.
> >
> > Regards,
> > Steven
> >
> > > Hal