On 18 October, Polar Humenn writes: Re: [xacml] bags and targets. Forwarded message from Seth Proctor. > If you really want an indeterminate, you may wrap the attribute designator > in an apply of "*-one-and-only". This forces an Indeterminate error if > there isn't one attribute. Simiarly, you can write "*-greater-than" on the > "*-length", etc. > > I strongly suggest that policy writers should not be relying on > "Indeterminate" for evaluations. It is an error condition, not a valid > access decision. > > Writers (or should I say their tools) should be using "present" in boolean > expressions that lead to the desired effect. You can't use "present" or "*-one-and-only" or "*-length" in a <Target>. This means any policy where you really care about whether an attribute is present or not will have to use an <Any*> Target, and thus will always need to be evaluated (can't eliminate by indexing). I strongly suggest that policy writers should not be relying on absence of an attribute for evaluations. It is indeterminate, not a valid access decision. :-) Note that there are numerous places in the spec that will need to be re-written or clarified to conform with your interpretation of attribute retrieval. I think this is something that has not been clearly understood by all the TC members, but it is critical to the semantics of XACML. I can live with Polar's interpretation, although I think it is wrong and dangerous to security. If we accept his interpretation, however, we need to be very clear in spelling out how his interpretation applies to policy evaluation. That is not currently the case, as witnessed by this entire disagreement. Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692