MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: NotApplicable and combining algs
Sections 7.10 and 7.11 of draft 13 say that in all cases, if no
elements provided to a combining algorithm apply then the combining
algorithm always returns NotApplicable. Is that really what we want?
Shouldn't I be free to write a combining algorithm, for example, that
returns Deny if no elements apply? I can think of many cases where this
would be very useful (at the top-level in a PDP and to replace
fall-through Deny rules).
The reason I ask is twofold. First, I don't ever remember discussing
this issue, so I'm not sure if someone explicitly wanted to see this in
the spec or if it's just an oversight. Second, I think it breaks the
relationship shown on page 19, since it implies that before a combining
algorithm starts working with its elements, something above it will
already have checked applicability of all elements. I think it's clear
that we don't want that model. Basically, I think this is another case
where we should say that the combining algorithm decides, and it just
so happnes that all the standard algorithms return NotApplicable in
this case.
Yes? No? What do people think? Again, maybe fodder for discussion
tomorrow?
seth
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]