OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] bags and targets. Forwarded message from Seth Proctor.

  • 1.  Re: [xacml] bags and targets. Forwarded message from Seth Proctor.

    Posted 10-17-2002 17:44
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] bags and targets. Forwarded message from Seth Proctor.


    
    
    On Thu, 17 Oct 2002, Seth Proctor wrote:
    
    >
    > > This sentence means exactly what it says. If the the selector or
    > > designator evalutates to an empty bag, then there is no match, i.e. the
    > > match "predicate" is False.
    >
    > Yes, I understand that. What I don't understand is how the bag could be empty
    > and not have that be an Indeterminate case. This is the only question I was
    > asking.
    
    If I ask you whether or not you have any bills in your wallet that have a
    picture of Ulysses S. Grant on them. What will you tell me?
    
    -Polar
    
    >
    > If an AD or AS is asked to resolve a particular attribute, and it fails to
    > do so, then this is an indeterminate state, and typically a Status message
    > gets returned about some missing attributes. The spec is very clear that in
    > a match operation, if the AD/AS fails to resolve a value and returns
    > Indeterminate, then the match evaluates to Indtereminate immedeately.
    >
    > The sentence that I called out, however, suggests that an AD/AS can return
    > an empty bag and not have that be a failure case. Thus, my question. How can
    > the bag be empty and not represent a failure. the one case I suggested is that
    > the Attribute in the Request had no AttributeValues associated with it. If
    > this is the correct explination, then the text should be explicit and expain
    > this. If this is not the case, then the text should explain what's going on.
    > Either way, there needs to be clarification here, and probably in the section
    > on AD/AS types as well.
    >
    > > The match predicate is akin to asking, "Do you have one or more of any
    > > subject ids that match "john.*". If you have none, then False, if you have
    > > at least one, then True.
    > >
    > > This is a composition of three functions:  an Attribute Designator i.e.
    > > "Get me all subject ids", a match filter, i.e. "that match 'john.*', and a
    > > length predicate "length > 0".
    > >
    > > Regardless of the match filter, if you have zero elements to start with,
    > > you will end up with zero elements after you apply the match filter, and
    > > therefore, vacuously, you don't have a match.
    >
    > This is all made clear by the spec. I wasn't asking for clarification on any
    > of these points.
    >
    >
    > seth
    >
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC