OASIS eXtensible Access Control Markup Language (XACML) TC

[xacml] Issues for 7/15/02 schema subcommittee meeting

  • 1.  [xacml] Issues for 7/15/02 schema subcommittee meeting

    Posted 07-15-2002 13:20
    Colleagues, here is my list of issues for this morning's schema subcommittee meeting. -Anne 2. [Anne] Handling of multiple decisions http://lists.oasis-open.org/archives/xacml/200207/msg00044.html [Michiharu response] http://lists.oasis-open.org/archives/xacml/200207/msg00049.html Treat like separate evaluation for each element in resource sub-tree? If treat together, how are effects combined? Decision: TBD. 3. [Anne] Optional <Target> in Rule (since often same as Policy) http://lists.oasis-open.org/archives/xacml/200207/msg00011.html Options: a. Optional <Target> in Rule (already optional in 15g): semantics ::= "match" b. Define <Target> to be a choice 1. urn:oasis:...:anyTarget, or 2. <Subject>...</Subject>,<Resource>...</Resource>,... and use 1. for this case. c. Use <Subject>urn:oasis:...:any</Subject>, <Resource>urn:oasis:...:any</Resource> for this case. Decision: Decide on Monday 15. [Daniel] mapping "numeric" http://lists.oasis-open.org/archives/xacml/200207/msg00033.html In general, I am rather concerned that no clear type compatibility/conversion rules are defined. It is not just hard to write an implementation, even with an unlimited supply of summer interns avaialable, it is unsafe - different implementation are bound to interpret it just different enough to cause a lot of problems. Using stated promotion rules to determine the return type of a "numerical" operation breaks the isea of strong typing of the return type of the function. Not good for policy verification.. Decision: probably just an issue for floating point values, which are not commonly used in policies, so not a big issue. Daniel and others concerns are welcome to propose a method for mapping these if they still see issues. 16. [Anne] Target matching: http://lists.oasis-open.org/archives/xacml/200207/msg00018.html [Michiharu response] http://lists.oasis-open.org/archives/xacml/200207/msg00032.html [Michiharu new response] http://lists.oasis-open.org/archives/xacml/200207/msg00050.html a. Just use XPATH? b. Use XPATH for AttributeDesignator plus a specified value to be matched, plus an implied xacml:equals operator? c. As in b, but specify the operator? Sub-issues: a. XPATH can return 0 nodes, 1 node, or multiple nodes. (specify ALL or ANY match; XPath 2.0 does not support) Example: point to "role" AttributeName. Want to match "at least one". b. A node can be structured in depth (XPath 2.0 supports "sequence-deep-equal"); similar to our [@Format="x" and Value="y"] Decision: XPATH, value plus use correct "equals" for the types specified [as in v15]. Must use "standard" "equals" function for the data type, but we will not spell out what that function is except for xml base types. For example, for comparing an X500 Distinguished Name, the implementation would be expected to support the standard X500 DN MatchingRule. Decision: Where multiple Subjects or Resources elements occur in a Target, then ALL the specified matches must be satisfied. Decision: Where the AttributeDesignator in a single Subjects or Resources element returns multiple nodes, then the match is satisfied if at least one of the returned nodes matches the supplied comparison value. Decide Monday on whether sequence-deep-equal supported. 21. [Anne] {PolicySet Policy Rule}Designator issue http://lists.oasis-open.org/archives/xacml/200207/msg00045.html Decision: TBD 22. [Daniel] Why Function has 1...inf of arguments? Couldn't it be without arguments? http://lists.oasis-open.org/archives/xacml/200207/msg00047.html Decision: TBD -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692