OASIS eXtensible Access Control Markup Language (XACML) TC

Re: [xacml] Problems with XACML and time

  • 1.  Re: [xacml] Problems with XACML and time

    Posted 07-23-2003 00:37
     MHonArc v2.4.5 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: Re: [xacml] Problems with XACML and time



    Hi,

    Here is my understanding:
    1. The first part of your problem makes sense to me.
    2. I don't think the second part is a problem.

    >> However, according to the XML-Schema specification, you have to
    >> normalize the three time values. They are normalized to
    >> 19:00 <= 00:00 <= 03:00. It seems to me that you say that the
    >> result is false because 19:00 <= 00:00 is false.

    I don't think this interpretation is right.
    The XML schema specification says that:
      The order relation on time values is the Order relation on dateTime
      ($B!x(B3.2.7.3) using an arbitrary date.

    So I think that we can use an implicit date information for
    time comparison. The following is the comparison flow in my mind.
    (Let me know if I'm wrong)

    1.
    I want to check whether
    09:00(+14:00) <= 14:00(+14:00) <= 17:00(+14:00)

    2.
    Set an arbitrary date (e.g., 2002-02-16).
    So I need to check whether
    2002-02-16T09:00(+14:00) <= 2002-02-16T14:00(+14:00) <= 2002-02-16T17:00(+14:00)

    3.
    Normalize the three time values.
    So I need to check whether
    2002-02-15T19:00Z <= 2002-02-16T00:00Z <= 2002-02-16T03:00Z

    4.
    The result is true.

    >> The first part of my problem is that XML Schema says that
    >> a time with no time zone (like the one in my policy.xml)
    >> cannot be compared to a time with a time zone (like the
    >> current time). This part of my problem can be solved either by
    >> always specifying a time zone in the policy (as I did in
    >> policy2.xml) or by changing the definitions of the time
    >> comparison functions in the XACML spec to point to XML Query
    >> instead of XML Schema.

    I think we should change the definitions of the time
    comparison functions in the XACML spec to point to XML Query
    instead of XML Schema.


    Satoshi Hada
    IBM Tokyo Research Laboratory
    mailto:satoshih@jp.ibm.com



    Steve Hanna <steve.hanna@sun.com>

    2003/07/23 03:28

           
            To:        Satoshi Hada/Japan/IBM@IBMJP
            cc:        xacml@lists.oasis-open.org
            Subject:        Re: [xacml] Problems with XACML and time

           



    Satoshi Hada wrote:
    > I'm not yet sure I correctly understand your problem.

    You have captured the essence below. Here are a few
    comments, though.

    > You want to check whether the current time is between 9:00 and
    > 17:00 in an arbitrary time zone, which is not specified in the
    > policy.

    Right. I wouldn't say the time zone is "arbitrary". It's generally
    the time zone of the PDP. But other than that, I agree.

    > Assume that the PDP is in the time zone +14:00, and that the
    > current time is 14:00 in the PDP's time zone. Then you want
    > to check whether 09:00(+14:00) <= 14:00(+14:00) <= 17:00(+14:00).
    > Of course, the result should be true.

    Right!

    > However, according to the XML-Schema specification, you have to
    > normalize the three time values. They are normalized to
    > 19:00 <= 00:00 <= 03:00. It seems to me that you say that the
    > result is false because 19:00 <= 00:00 is false.

    That's right.

    > Does this summarize your problem?

    Yes, it summarizes the second part of my problem (the part
    caused by the fact that XML Schema and XML Query require times
    to be normalized to GMT before comparison).

    The first part of my problem is that XML Schema says that
    a time with no time zone (like the one in my policy.xml)
    cannot be compared to a time with a time zone (like the
    current time). This part of my problem can be solved either by
    always specifying a time zone in the policy (as I did in
    policy2.xml) or by changing the definitions of the time
    comparison functions in the XACML spec to point to XML Query
    instead of XML Schema.

    Thanks,

    Steve

    >
    > Satoshi Hada
    > IBM Tokyo Research Laboratory
    > mailto:satoshih@jp.ibm.com
    >
    >   Steve Hanna <steve.hanna@sun.com>
    >                                                                               To:        Satoshi Hada/Japan/IBM@IBMJP
    >   2003/07/18 23:23                                                            cc:        xacml@lists.oasis-open.org
    >                                                                               Subject:        Re: [xacml] Problems with XACML and time
    >
    >
    >
    > Satoshi Hada wrote:
    > > Thank you for the clarification. I don't think I fully
    > > understand the problem, and I will read your mail more
    > > carefully next week.
    >
    > OK, thanks for your careful consideration.
    >
    > > >> The simplest
    > > >> way to make this change would be to change the definition of the
    > > >> XACML time comparison functions to refer to XML Query instead of
    > > >> XML Schema, as the time-equal function already does.
    > >
    > > I like this change.
    > >
    > > >> This solution does not solve the problem mentioned in this
    > > >> paragraph from my original email:
    > >
    > > A quick question:
    > >
    > > Do you mean even though we make the above change
    > > we still have the problem (the change does not solve all the
    > > problems)?
    >
    > Yes, changing the time comparison functions to refer to XML Query
    > instead of XML Schema does not solve all the problems in my email.
    > It solves one of them (the need to specify time zones for all
    > times). But it doesn't solve the second problem (the problems
    > that arise when midnight GMT falls during normal business
    > hours, as it does in many parts of the world). Solving that
    > problem will require an additional change, such as adding the
    > time-in-range function.
    >
    > Thanks again for your help,

    >
    > Steve Hanna




    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]