OASIS eXtensible Access Control Markup Language (XACML) TC

Expand all | Collapse all

FW: [xacml-comment] Incomplete definition of the ipAddress-is-in and dnsName-is-in functions

  • 1.  FW: [xacml-comment] Incomplete definition of the ipAddress-is-in and dnsName-is-in functions

    Posted 04-07-2011 20:58
    My initial thought is that it would be better to define equality functions for these types, even if they might not be completely determinate. I'm not familiar with these types so I don't know what problems there might be. But as a policy writer I appreciate having the type-is-in functions available. Regards, --Paul


  • 2.  Re: [xacml] FW: [xacml-comment] Incomplete definition of the ipAddress-is-inand dnsName-is-in functions

    Posted 04-14-2011 12:46
    Hi Paul, For IPv6 the IP address data type encoding is defined by: http://www.ietf.org/rfc/rfc2732.txt For IPv4 and the dnsname datatype it's by: http://www.ietf.org/rfc/rfc2396.txt section 3.2 Neither appear to define equality testing or canonical forms. The XACML DNSname type also defines a wildcard "*" which further complicates matters. So it's a non-trivial exercise to define them. I would leave them. At least for now at this stage in the 3.0 process. Best regards, Erik On 2011-04-07 22:57, Tyson, Paul H wrote: > My initial thought is that it would be better to define equality > functions for these types, even if they might not be completely > determinate. I'm not familiar with these types so I don't know what > problems there might be. But as a policy writer I appreciate having the > type-is-in functions available. > > Regards, > --Paul > >