OASIS eXtensible Access Control Markup Language (XACML) TC

Expand all | Collapse all

AW: AW: AW: [xacml] RE: XACML's limitations in the access control for XML documents use case - AW: AW: [xacml] CD-1 issue #11: strictness of xpath definition

  • 1.  AW: AW: AW: [xacml] RE: XACML's limitations in the access control for XML documents use case - AW: AW: [xacml] CD-1 issue #11: strictness of xpath definition

    Posted 09-28-2009 15:46
    Hi Erik,
    further comments inline.
    best regards 
    jan
    
    > -----Ursprüngliche Nachricht-----
    > Von: Erik Rissanen [mailto:erik@axiomatics.com]
    > Gesendet: Montag, 28. September 2009 16:33
    > An: Jan Herrmann
    > Betreff: Re: AW: AW: [xacml] RE: XACML's limitations in the access control
    > for XML documents use case - AW: AW: [xacml] CD-1 issue #11: strictness of
    > xpath definition
    > 
    > Hi Jan,
    > 
    > See responses inline. BTW, it is a good idea to post to the TC list so
    > everybody can see the discussion.
    > 
    > Best regards,
    > Erik
    > 
    > Jan Herrmann wrote:
    > > Hi Erik, all,
    > >
    > > in your mail
    > > (http://lists.oasis-open.org/archives/xacml/200909/msg00095.html) you
    > are
    > > identifying three different use cases. Just to make sure that I
    > understood
    > > your suggestions let me summarise how I understood your use cases and
    > add
    > > some comments:
    > >
    > > Use case 1:
    > > You have one physical resource (a book) and a XML encoded metadata doc
    > that
    > > describes the physical resource.
    > > You are further saying that XACML can handle this case well. Is this
    > correct
    > > or do the same problems exist in this use case too?
    > > Let me extend your example to demonstrate that similar problems can
    > occur:
    > >
    > > 
    > > 
    > >
    > > Now assume that you try to define a rule that denies access to a book if
    > one
    > > of its authors is from the requestor’s family (i.e. the miller family)
    > and
    > > born after 1978.
    > > Doesn’t this imply similar limitations as I described in
    > > http://lists.oasis-open.org/archives/xacml/200909/msg00081.html?
    > >
    > 
    > I am not sure. At the very least, the attribute selector with an offset
    > wouldn't help anything here, since it is a request for a single
    > resource, so the PDP would not iterate the resource-id over anything.
    > 
    > I suspect that it is fairly easy to write an xpath expression which
    > selects a 


  • 2.  RE: AW: AW: [xacml] RE: XACML's limitations in the access control for XML documents use case - AW: AW: [xacml] CD-1 issue #11: strictness of xpath definition

    Posted 09-28-2009 18:07
    This is getting very difficult to follow by email.
    
    In my experience, wiki pages can support these types of discussions
    better than email.  If no one has any objection, I will start some wiki
    topics when I get a chance.  Or, if someone wants to take the lead on
    that, go right ahead.
    
    --Paul