I also support Anne's proposal. I think this technique deal with the
distributed scenario nicely. I said the similar idea that uses an external
function to call sub applicable policies in the policy model con-call on
Dec. 17 but Anne's description is much more concrete and easy to
understand. For the global deny policy, I agree that this technique is
useful to specify the global deny semantics. If this technique is agreed,
we may need more intuitive name for the externalFunction.
p.s. I may not be able to attend tomorrow morning concall.
Best regards,
Michiharu Kudo
From: ernesto damiani <edamiani@crema.unimi.it> on 2002/01/19 20:07
To: Tim Moses <tim.moses@entrust.com>, xacml@lists.oasis-open.org
cc:
Subject: Re: [xacml] [model] implementing global "deny" using 0.8 and
meta-policies
I support this proposal. I believe it could deal smoothly with the
distributed scenario Anne described many times during the last concalls.
It goes in the same direction of a previous suggestion of mine (deal with
composition and distributed deployment at the ApplicablePolicy level), but
does it far better.
However, I would suggest some minor observations/amendments (otherwise
there is no fun :-))
1.��Maybe this is trivial, but any change to the current schema should
keep policies fully embeddable in the Applicable policy element, besides
being able to point to them using external functions. In simple
environments there will be only one local policy, stated in a single
document.
2. I happen not to like very much using the word "meta-policy" to describe
this proposal, for several reasons some of which would be too long to
explain in this message. Basically, I regard Anne's technique mainly as a
way to define how a global policy can be deployed in distributed,
independently maintained retrieval units.�In passing, it�also solves the
problem of stating which criterium should be applied to�compose the
outcome of such units (this is essential when "deny" is a possible outcome,
as the criterium may have an impact on what actually needs to be
retrieved), but I cannot convince myself this requirement is equally
important.��I believe (but would like to hear the opinion of the
industrial researchers on this one) that�there will be a default policy
composition technique that will be used 99.9% of the times. Therefore, in
the schema�I would prefer�to concentrate the deployment
description�functionality�in a new element, perhaps called
"ApplicablePolicies" , possibly defined as an extension of the base
(Applicable)Policy type. This element could optionally (via an attribute)
specify the composition criterium as well.�Tim, what are your views?
Rgds
Ernesto
Prof. Ernesto Damiani
Dipartimento di Tecnologie dell'Informazione
Universit� di Milano - Polo di Crema
Via Bramante 65 26013 Crema, Italia
tel 0373-898240
fax 0373-898253