OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  Possible issue or editorial cleanup item - missing equality predicates,etc.

    Posted 03-30-2009 18:49
    
    
    
    
    There are no equality predicates in section A.3.1 for the following
    datatypes:
    • urn:oasis:names:tc:xacml:2.0:data-type:ipAddress
    • urn:oasis:names:tc:xacml:2.0:data-type:dnsName
    • urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression
    I don't know if this was intentional, but suspect it was just an oversight as these 3 data types were added after XACML 1.1.

    Also, it appears some or all of them may be missing from some functions:
    • intersection
    • at-least-one-member-of
    • union
    • subset
    • set-equal
    Also, I am curious what, if any, association might or might not be intended between the first two above and the Subject identifiers:
    • urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address
    • urn:oasis:names:tc:xacml:2.0:data-type:dnsName

        Thanks,
        Rich



  • 2.  Re: [xacml] Possible issue or editorial cleanup item - missing equalitypredicates, etc.

    Posted 03-31-2009 06:59
    Hi Rich,
    
    I think we discussed this some time ago. It's intentional since there 
    are pattern matching functions instead. And, yes, I also pointed out 
    that this means that the set functions are not defined for those data 
    types because of this, but I think this was not seen as a problem. I 
    don't recall the details of the discussion though, so I might be mistaken.
    
    I don't understand your last question.
    
    Best regards,
    Erik
    
    Rich.Levinson wrote:
    > There are no equality predicates in section A.3.1 for the following 
    > datatypes:
    >
    >     * urn:oasis:names:tc:xacml:2.0:data-type:ipAddress
    >     * urn:oasis:names:tc:xacml:2.0:data-type:dnsName
    >     * urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression
    >
    > I don't know if this was intentional, but suspect it was just an 
    > oversight as these 3 data types were added after XACML 1.1.
    >
    > Also, it appears some or all of them may be missing from some functions:
    >
    >     * intersection
    >     * at-least-one-member-of
    >     * union
    >     * subset
    >     * set-equal
    >
    > Also, I am curious what, if any, association might or might not be 
    > intended between the first two above and the Subject identifiers:
    >
    >     * urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address
    >     * urn:oasis:names:tc:xacml:2.0:data-type:dnsName
    >
    >
    >     Thanks,
    >     Rich
    >
    
    


  • 3.  Re: [xacml] Possible issue or editorial cleanup item - missing equalitypredicates, etc.

    Posted 03-31-2009 11:13
    
    
      
    
    
    Hi Erik,

    That's fine. It would be useful to dig up the rationale, and possibly put it in the doc somewhere, such as section A.2 where these items are discussed in some detail.

    Also, my last question was simply if there is any relation between the dns-name of the Subject attribute and the dnsName of the datatype. Same for ip-address. i.e.would it be reasonable to expect that these datatypes would apply to AttributeValues associated with those subject attribute ids? I suppose the answer is obvious - that there could be but doesn't have to be. But I was also wondering what motivated the addition of these datatypes. Possibly it was related to the remark I just noticed on line 5098-99 which preceded the subject attributes:
    The following identifiers indicate the location where authentication credentials were activated.  They are intended to support the corresponding entities from the SAML authentication statement [SAML].
    i.e. there was some SAML activity with these, which appears to have raised their visibility to the point where they were late additions to the xacml datatypes.

        Thanks,
        Rich


    Erik Rissanen wrote:
    49D1BF06.9070303@axiomatics.com" type="cite">Hi Rich,

    I think we discussed this some time ago. It's intentional since there are pattern matching functions instead. And, yes, I also pointed out that this means that the set functions are not defined for those data types because of this, but I think this was not seen as a problem. I don't recall the details of the discussion though, so I might be mistaken.

    I don't understand your last question.

    Best regards,
    Erik

    Rich.Levinson wrote:
    There are no equality predicates in section A.3.1 for the following datatypes:

        * urn:oasis:names:tc:xacml:2.0:data-type:ipAddress
        * urn:oasis:names:tc:xacml:2.0:data-type:dnsName
        * urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression

    I don't know if this was intentional, but suspect it was just an oversight as these 3 data types were added after XACML 1.1.

    Also, it appears some or all of them may be missing from some functions:

        * intersection
        * at-least-one-member-of
        * union
        * subset
        * set-equal

    Also, I am curious what, if any, association might or might not be intended between the first two above and the Subject identifiers:

        * urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address
        * urn:oasis:names:tc:xacml:2.0:data-type:dnsName


        Thanks,
        Rich




  • 4.  Re: [xacml] Possible issue or editorial cleanup item - missing equalitypredicates, etc.

    Posted 04-02-2009 04:15
    
    
      
    
    
    Hi Erik,

    I looked up to find discussion on this and didn't quite get a match, although there was a ref in the Nov 6 minutes:
    http://lists.oasis-open.org/archives/xacml/200811/msg00027.html
    possibly related to this exchange on xacml-comment:
    http://lists.oasis-open.org/archives/xacml-comment/200811/msg00001.html

    Those were regarding details. I understand that one might consider regexp-match an alternative to <type>-equals, however, what I don't understand is why regexp-match is used for all of 4 xacml-defined datatypes for identifiers or resources:
    • dnsName - A.3.13 line 4843 ->
    • ipAddress - A.3.13 line 4835 ->
    • rfc822Name - A.3.13 line 4851 ->
    • x500Name - A.3.13 line 4859 ->
    while for <type>-equals there is only:
    • rfc822Name - A.3.1 line 3982 ->
    • x500Name - A.3.1 line 3968 ->
    These 4 datatypes are discussed in section A.2 starting on line 3850.
    There is additional detailed info as ref'd above for rfc822, x500 under A.3.1 <type>-equals.

    As I look at it some more, it is beginning to appear that the comparable detail that is listed in A.2 for ipAddress and dnsName is in section A.3.1 for rfc822 and x500 under <type>-equals.

    There is something out of balance here at a cursory look. It would seem that either ipAddress and x500Name should also be in section A.3.1 or there should be an explanation as to why they are not. As it stands now, it looks like an editing error to me - not a serious error, but one that causes some confusion. And also, it looks like it might have occurred because ipAddress and dnsName were added later, which is why I suggested it was likely an oversight.

    Another possibility is that the info in section A.3.1 should be removed, put in section A.2 with the others and all of them should use regexp-match. i.e. the explanation of how to do rfc822Name-equal and x500Name-equal appears to be a stretch for a "-equal" function, esp. if the other two are done w regexp-match.

    It's not of earth-shattering importance, I admit, but this is a suggestion for the "clean-up" and on the surface, at least, it appears to me to be more of a cleanup than a correction of any specific error task, except that if the original update was inadvertent, it may effectively be introducing an error of imbalance, unless, of course, there is a reason, in which case it would be desirable to put the reason in section A.2.

        Thanks,
        Rich


    Rich.Levinson wrote:
    49D1FA70.4020204@oracle.com" type="cite">Hi Erik,

    That's fine. It would be useful to dig up the rationale, and possibly put it in the doc somewhere, such as section A.2 where these items are discussed in some detail.

    Also, my last question was simply if there is any relation between the dns-name of the Subject attribute and the dnsName of the datatype. Same for ip-address. i.e.would it be reasonable to expect that these datatypes would apply to AttributeValues associated with those subject attribute ids? I suppose the answer is obvious - that there could be but doesn't have to be. But I was also wondering what motivated the addition of these datatypes. Possibly it was related to the remark I just noticed on line 5098-99 which preceded the subject attributes:

       The following identifiers indicate the location where authentication
       credentials were activated.  They are intended to support the
       corresponding entities from the SAML authentication statement [SAML].

    i.e. there was some SAML activity with these, which appears to have raised their visibility to the point where they were late additions to the xacml datatypes.

       Thanks,
       Rich


    Erik Rissanen wrote:
    Hi Rich,

    I think we discussed this some time ago. It's intentional since there are pattern matching functions instead. And, yes, I also pointed out that this means that the set functions are not defined for those data types because of this, but I think this was not seen as a problem. I don't recall the details of the discussion though, so I might be mistaken.

    I don't understand your last question.

    Best regards,
    Erik

    Rich.Levinson wrote:
    There are no equality predicates in section A.3.1 for the following datatypes:

        * urn:oasis:names:tc:xacml:2.0:data-type:ipAddress
        * urn:oasis:names:tc:xacml:2.0:data-type:dnsName
        * urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression

    I don't know if this was intentional, but suspect it was just an oversight as these 3 data types were added after XACML 1.1.

    Also, it appears some or all of them may be missing from some functions:

        * intersection
        * at-least-one-member-of
        * union
        * subset
        * set-equal

    Also, I am curious what, if any, association might or might not be intended between the first two above and the Subject identifiers:

        * urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address
        * urn:oasis:names:tc:xacml:2.0:data-type:dnsName


        Thanks,
        Rich





  • 5.  Re: [xacml] Possible issue or editorial cleanup item - missing equalitypredicates, etc.

    Posted 04-04-2009 09:48
    Hi Rich,
    
    I was referring to this thread:
    
    http://lists.oasis-open.org/archives/xacml/200807/msg00021.html
    
    The minutes of the TC call where we discussed the issue are here:
    
    http://lists.oasis-open.org/archives/xacml/200807/msg00026.html
    
    I'm not sure how to read that, but I recall that we decided to not
    introduce these equality functions. And since the set functions are
    defined in terms of the equality functions, the set functions are also
    undefined. I am pretty sure I pointed out this in the discussion, though
    it's not recorded in the minutes. So the spec is right now as the TC has
    decided.
    
    Best regards,
    Erik
    
    Rich.Levinson wrote:
    > Hi Erik,
    >
    > I looked up to find discussion on this and didn't quite get a match,
    > although there was a ref in the Nov 6 minutes:
    > http://lists.oasis-open.org/archives/xacml/200811/msg00027.html
    > possibly related to this exchange on xacml-comment:
    > http://lists.oasis-open.org/archives/xacml-comment/200811/msg00001.html
    >
    > Those were regarding details. I understand that one might consider
    > regexp-match an alternative to 


  • 6.  Re: [xacml] Possible issue or editorial cleanup item - missing equality predicates, etc.

    Posted 04-04-2009 14:26
    On Apr 4, 2009, at 2:47 AM, Erik Rissanen wrote:
    
    >> There is something out of balance here at a cursory look. It would
    >> seem that either ipAddress and x500Name should also be in section
    >> A.3.1 or there should be an explanation as to why they are not. As it
    >> stands now, it looks like an editing error to me - not a serious
    >> error, but one that causes some confusion. And also, it looks like it
    >> might have occurred because ipAddress and dnsName were added later,
    >> which is why I suggested it was likely an oversight.
    
    I think this is likely the case. It has been a while since we  
    discussed this but my recollection is that regex was to be a valid  
    matching option on all 4.
    
    b
    


  • 7.  Re: [xacml] Possible issue or editorial cleanup item - missing equalitypredicates, etc.

    Posted 04-07-2009 03:46
    
    
      
    
    
    Hi Erik,

    I see from the references you gave that you essentially raised a very similar issue a few months ago, and that it was apparently decided (I realize I was on the call and wrote the minutes :) ) to leave things as is. So, I agree, there is no point now trying to rush something through, and presumably, when the changes for dnsName and ipAddress were added that the requirements at the time were met. The essential information appears to be there if you really look for it.

    Maybe we can carry this forward for another release - we should probably have a bucket for things we think should probably be addressed down the road but don't make the cut on this train.

        Thanks,
        Rich


    Erik Rissanen wrote:
    49D72CA1.60908@axiomatics.com" type="cite">
    Hi Rich,
    
    I was referring to this thread:
    
    http://lists.oasis-open.org/archives/xacml/200807/msg00021.html
    
    The minutes of the TC call where we discussed the issue are here:
    
    http://lists.oasis-open.org/archives/xacml/200807/msg00026.html
    
    I'm not sure how to read that, but I recall that we decided to not
    introduce these equality functions. And since the set functions are
    defined in terms of the equality functions, the set functions are also
    undefined. I am pretty sure I pointed out this in the discussion, though
    it's not recorded in the minutes. So the spec is right now as the TC has
    decided.
    
    Best regards,
    Erik
    
    Rich.Levinson wrote:
      
    Hi Erik,
    
    I looked up to find discussion on this and didn't quite get a match,
    although there was a ref in the Nov 6 minutes:
    http://lists.oasis-open.org/archives/xacml/200811/msg00027.html
    possibly related to this exchange on xacml-comment:
    http://lists.oasis-open.org/archives/xacml-comment/200811/msg00001.html
    
    Those were regarding details. I understand that one might consider
    regexp-match an alternative to <type>-equals, however, what I don't
    understand is why regexp-match is used for all of 4 xacml-defined
    datatypes for identifiers or resources:
    
        * dnsName - A.3.13 line 4843 ->
        * ipAddress - A.3.13 line 4835 ->
        * rfc822Name - A.3.13 line 4851 ->
        * x500Name - A.3.13 line 4859 ->
    
    while for <type>-equals there is only:
    
        * rfc822Name - A.3.1 line 3982 ->
        * x500Name - A.3.1 line 3968 ->
    
    These 4 datatypes are discussed in section A.2 starting on line 3850.
    There is additional detailed info as ref'd above for rfc822, x500
    under A.3.1 <type>-equals.
    
    As I look at it some more, it is beginning to appear that the
    comparable detail that is listed in A.2 for ipAddress and dnsName is
    in section A.3.1 for rfc822 and x500 under <type>-equals.
    
    There is something out of balance here at a cursory look. It would
    seem that either ipAddress and x500Name should also be in section
    A.3.1 or there should be an explanation as to why they are not. As it
    stands now, it looks like an editing error to me - not a serious
    error, but one that causes some confusion. And also, it looks like it
    might have occurred because ipAddress and dnsName were added later,
    which is why I suggested it was likely an oversight.
    
    Another possibility is that the info in section A.3.1 should be
    removed, put in section A.2 with the others and all of them should use
    regexp-match. i.e. the explanation of how to do rfc822Name-equal and
    x500Name-equal appears to be a stretch for a "-equal" function, esp.
    if the other two are done w regexp-match.
    
    It's not of earth-shattering importance, I admit, but this is a
    suggestion for the "clean-up" and on the surface, at least, it appears
    to me to be more of a cleanup than a correction of any specific error
    task, except that if the original update was inadvertent, it may
    effectively be introducing an error of imbalance, unless, of course,
    there is a reason, in which case it would be desirable to put the
    reason in section A.2.
    
        Thanks,
        Rich
    
    
    Rich.Levinson wrote:
        
    Hi Erik,
    
    That's fine. It would be useful to dig up the rationale, and possibly
    put it in the doc somewhere, such as section A.2 where these items
    are discussed in some detail.
    
    Also, my last question was simply if there is any relation between
    the dns-name of the Subject attribute and the dnsName of the
    datatype. Same for ip-address. i.e.would it be reasonable to expect
    that these datatypes would apply to AttributeValues associated with
    those subject attribute ids? I suppose the answer is obvious - that
    there could be but doesn't have to be. But I was also wondering what
    motivated the addition of these datatypes. Possibly it was related to
    the remark I just noticed on line 5098-99 which preceded the subject
    attributes:
    
       The following identifiers indicate the location where authentication
       credentials were activated.  They are intended to support the
       corresponding entities from the SAML authentication statement [SAML].
    
    i.e. there was some SAML activity with these, which appears to have
    raised their visibility to the point where they were late additions
    to the xacml datatypes.
    
       Thanks,
       Rich
    
    
    Erik Rissanen wrote:
          
    Hi Rich,
    
    I think we discussed this some time ago. It's intentional since
    there are pattern matching functions instead. And, yes, I also
    pointed out that this means that the set functions are not defined
    for those data types because of this, but I think this was not seen
    as a problem. I don't recall the details of the discussion though,
    so I might be mistaken.
    
    I don't understand your last question.
    
    Best regards,
    Erik
    
    Rich.Levinson wrote:
            
    There are no equality predicates in section A.3.1 for the following
    datatypes:
    
        * urn:oasis:names:tc:xacml:2.0:data-type:ipAddress
        * urn:oasis:names:tc:xacml:2.0:data-type:dnsName
        * urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression
    
    I don't know if this was intentional, but suspect it was just an
    oversight as these 3 data types were added after XACML 1.1.
    
    Also, it appears some or all of them may be missing from some
    functions:
    
        * intersection
        * at-least-one-member-of
        * union
        * subset
        * set-equal
    
    Also, I am curious what, if any, association might or might not be
    intended between the first two above and the Subject identifiers:
    
        * urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address
        * urn:oasis:names:tc:xacml:2.0:data-type:dnsName
    
    
        Thanks,
        Rich