OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
Back to discussions
Expand all | Collapse all

Re: [xacml] change request: xacml context attributes and data types

  • 1.  Re: [xacml] change request: xacml context attributes and data types

    Posted 09-27-2002 10:00 
     MHonArc v2.5.2 -->


















    xacml message
    







    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [Elist Home]
    


    







    Subject: Re: [xacml] change request: xacml context attributes and data types
    







    



    

I agree with removing the dataType attribute from the
xacml-context:Attribute.

However, the implications are this:

If you have an Attribute of "subject-id" and its value is:

  <AttributeValue>CN=Simon Godik, O=OverXeer, OU=Research</AttributeValue>

What does the designator:

<SubjectMatch MatchId="function:rfc822Name-equal">
	<SubjectAttributeDesignator AttributeId="subject-id"/>
	<AttributeValue>simon@godik.com</AttributeValue>
</SubjectMatch>

evaluate to?

Does it evaluate to "indeterminate" because the formal type of
rfc822Name-equal is
         xacml:rfc822Name -> xacml:rfc822Name -> Bool
and the attribute value is an invalid representation of an rfc822Name.

Or does it evaluate to "false"?

The question in the context of its application, the
	<SubjectAttributeDesignator Attribute="subject-id">
shall return a bag of "rfc822Name", which means that every "subject-id"
attribute must have a parseable rfc822Name representation as a value.

So, does the designator return "indeterminate" because not *all* values
under "subject-id"  are valid string representations of rfc822Name?

Or does it return a bag of rfc822Names of *only* the values under
"subject-id" that do have valid string representations of rfc822Names? In
the example above for the latter case, this designator would return an
empty bag.

I don't think I'll be able to comment much further, I have to leave real
soon.  It's food for thought.

Cheers,
-Polar



On Fri, 27 Sep 2002, Simon Godik wrote:

> Currently <xacml-context:Attribute> element allows DataType attribute.
>
> Rationale for keeping DataType attribute in the <xacml-context:Attribute> element was that
> it can sometimes be helpful, such as specifiying subject-id format, like
> subject-id="cn=simon", data-type="x500-name"
>
> But this information is redundant, because subject-id attribute will be passed to the specific
> function that expects arguments of certain type. For example, if subject-id is passed to
> the x500Name-equal function it expects it's arguments to be in x500 name format.
>
> So data type does not add value here.
>
> Another problem is that we can not access DataType attribute with AttributeDesignator.
>
> Proposal: remove DataType attribute from the <xacml-context:Attribute>.
>
> Simon
>
>


    





    








    


    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [Elist Home]
    


    
  

    


    







    Powered by eList eXpress LLC


Related Content