OASIS eXtensible Access Control Markup Language (XACML) TC

During a collaboration session with the TCG IF-MAP working group a question regarding the language in the XACML core specification came up that I was unable to answer and agreed to bring to the XACML TC for clarification.   In section 5.10 Element <PolicySetIdReference> of the xacml-3.0-core-spec-en;  starting at line 1973 "In the case that more than one matching version can be obtained, then the most recent one SHOULD be used."   In the case where there are two or more PolicySets that have the same PolicySetId value and the same version value:   1.) Can it be guaranteed that the “most recent” will always be selected? 2.) How is the “most recent” selected (e.g. by date-time, largest Version value, etc)? 3.) Does “SHOULD” (RFC2119) mean that the PEP cannot assume that the “most recent” will be selected? 4.) Can the PEP assume that the PDP will at least select consistently, changing its selection when a version of the Policy/PolicySet is added or removed?   In the case where there are two or more PolicySets that have the same PolicySetId value but different version values how would these questions (1 – 4 above) be answered?     Thanks, - Richard

(reposting – forgot to reply to list)   Two or more policysets should never have the same policysetid and version values.  The identity of a policy revision is policy(set)id + version.   The version attributes given in PolicySetIdReference are regular expressions, so it is quite possible that two or more policysets with the same policy id but * different version values * may match the PolicySetIdReference version match _expression_(s).   The XACML 3.0 spec doesn’t define how version values should be compared or ordered. We ran into this in the REST api for policy access discussion a while ago.   I read “SHOULD” to mean that a PDP is not required to implement the behavior in order to be considered XACML 3.0 compliant.   Returning the most recent version when multiple versions of a policy match the version match _expression_ is common sense but not strictly required or defined by the standard.  Since it’s not defined by the standard, one cannot infer anything about how a particular compliant PDP will behave with regards to the 4 questions you posed.   From a practicality standpoint it’s very likely that a particular implementation will select consistently, and even that it will select the most recent version, since any other implementation of PolicySetIdReference would be pretty useless (IMO).   It seems to me that this area of the spec could be tightened up considerably, as I can’t imagine a use case where PolicySetIdReference would not select the most recent revision that meets the version pattern match requirements.   -Danny   Danny Thorpe Authorization Architect Dell Identity & Access Management, Quest Software   Quest Software is now part of Dell.   From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Hill, Richard C Sent: Friday, December 07, 2012 12:52 PM To: 'xacml@lists.oasis-open.org' Subject: [xacml] PolicySetIdReference Questions   During a collaboration session with the TCG IF-MAP working group a question regarding the language in the XACML core specification came up that I was unable to answer and agreed to bring to the XACML TC for clarification.   In section 5.10 Element <PolicySetIdReference> of the xacml-3.0-core-spec-en;  starting at line 1973 "In the case that more than one matching version can be obtained, then the most recent one SHOULD be used."   In the case where there are two or more PolicySets that have the same PolicySetId value and the same version value:   1.) Can it be guaranteed that the “most recent” will always be selected? 2.) How is the “most recent” selected (e.g. by date-time, largest Version value, etc)? 3.) Does “SHOULD” (RFC2119) mean that the PEP cannot assume that the “most recent” will be selected? 4.) Can the PEP assume that the PDP will at least select consistently, changing its selection when a version of the Policy/PolicySet is added or removed?   In the case where there are two or more PolicySets that have the same PolicySetId value but different version values how would these questions (1 – 4 above) be answered?     Thanks, - Richard

I agree that the spec is far from clear. Here is what is intended. Section 5.1 and 5.14 say "It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier." This should say "It is the responsibility of the PAP to ensure that no two policies visible to the PDP have the same identifier and the same version." The intent of sections 5.10, 5.11 and 5.12 is that versions consist of a series of decimal numbers separated by dots. Versions are compared by starting with the leftmost number and comparing each in turn until there is a different value or no value present for one of them. If the value is different, the version with the larger number is deemed "higher" of "later" or "newer". A missing value is taken to be the lowest value, thus the longer one is higher. For example, the following versions are in order from low to high, oldest to newest. 1.223.7 2.0.4.35 2.0.5 2.0.5.27 2.1 Section 5.13 defines a version wildcard syntax which I think is pretty clear. Given that, here are my answers to your questions. >In section 5.10 Element <PolicySetIdReference> of the xacml-3.0-core-spec-en;  starting at >line 1973 "In the case that more than one matching version can be obtained, then the most >recent one SHOULD be used." >In the case where there are two or more PolicySets that have the same PolicySetId value and >the same version value: This case is not supposed to occur. If the Id is the same the version must differ. >1.) Can it be guaranteed that the "most recent" will always be selected? >2.) How is the "most recent" selected (e.g. by date-time, largest Version value, etc)? >3.) Does "SHOULD" (RFC2119) mean that the PEP cannot assume that the "most recent" will be >selected? >4.) Can the PEP assume that the PDP will at least select consistently, changing its selection when a version of the Policy/PolicySet is added or removed? >In the case where there are two or more PolicySets that have the same PolicySetId value but >different version values how would these questions (1 - 4 above) be answered? >1.) Can it be guaranteed that the "most recent" will always be selected? Yes in the cases where the spec says "most recent". By using the <PolicySetIdReference> XML Attributes: Version, EarliestVersion, and LatestVersion it is also possible to explicitly reference a Policy version which is not the latest. >2.) How is the "most recent" selected (e.g. by date-time, largest Version value, etc)? Only by comparison of version numbers as described above. >3.) Does "SHOULD" (RFC2119) mean that the PEP cannot assume that the "most recent" will be >selected? IMO, this SHOULD is a mistake or perhaps an ill considered compromise. One of the oldest principles of XACML is that give the same Policies and the same decision request, all conformant PDPs will produce the same Effect. (Not always the same Obligations and Advice.) I would be in favor of changing this SHOULD to a MUST in the future. >4.) Can the PEP assume that the PDP will at least select consistently, changing its selection when a version of the Policy/PolicySet is added or removed? That is exactly the intention. We wanted to people to be able to choose any of "a specific policy version", "the newest policy version available" or "the latest version 3 policy, but not version 4 or higher" among other usecases. Hal