OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] CR: Policy Indexing

  • 1.  Re: [xacml] CR: Policy Indexing

    Posted 10-11-2002 14:45
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] CR: Policy Indexing


    On Fri, 11 Oct 2002, Hal Lockhart wrote:
    
    > Section 2.8 describes two policy indexing strategies. This seems like a
    > reasonable discussion to motivate the use of target, but I have a couple of
    > concerns.
    >
    > 1. My most important concern is that it states that "only one policy
    > statement applies". This is contrary to my understanding (or what are
    > combining algorithms for?) and it appears to contradict section 2.2
    > specifically.
    
    I agree. I drafted a One-applicable-policy combining algorithm to handle
    this case. Inconjunction, in Section 7.1, it states that a PDP shall
    represent One Policy or Policy Set.
    
    That should take care of it.
    
    However, the next sentence in 7.1. may be worrysome, which says "Should
    the PDP be dynamic in nature in retrivin policies based on the request,
    the PDP ShALL act as if it represents a single policy set with the "Only
    One APplicable Policy" policy combining algorithm."
    
    
    So, what I think this is saying is that if you do not explicity configure
    your PDP with a single Policy or Policy Set, it specifies a default
    behavior of finding the "only" policy that should apply.
    
    Hal, do you think this jives?
    
    I think we should really get rid of the text that stipulates that only one
    policy applies in Section 2.8, and leave it to the 7.1 section.
    
    Cheers,
    -Polar
    
    
    >
    > 2. I really don't see that strong a distinction between the two cases and I
    > suspect that they are not the only possibilities either. It seems to me that
    > the general case is basically that you have a bunch of policies stored
    > someplace and you need to find the ones (hopefully using some efficient
    > technique) who's Targets match the corresponding fields in the Request
    > Context. Period.
    >
    > Amy I missing some subtleties here? If there is general agreement, I would
    > be willing to draft some text, but I don't want to do so until there is
    > consensus.
    >
    > Hal
    >
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC