Hi Paul, For IPv6 the IP address data type encoding is defined by:
http://www.ietf.org/rfc/rfc2732.txt For IPv4 and the dnsname datatype it's by:
http://www.ietf.org/rfc/rfc2396.txt section 3.2 Neither appear to define equality testing or canonical forms. The XACML DNSname type also defines a wildcard "*" which further complicates matters. So it's a non-trivial exercise to define them. I would leave them. At least for now at this stage in the 3.0 process. Best regards, Erik On 2011-04-07 22:57, Tyson, Paul H wrote: > My initial thought is that it would be better to define equality > functions for these types, even if they might not be completely > determinate. I'm not familiar with these types so I don't know what > problems there might be. But as a policy writer I appreciate having the > type-is-in functions available. > > Regards, > --Paul > >
Original Message----- > From: Erik Rissanen [ mailto:erik@axiomatics.com ] > Sent: Tuesday, March 29, 2011 03:11 > To: xacml-comment@lists.oasis-open.org > Subject: Re: [xacml-comment] Incomplete definition of the > ipAddress-is-in and dnsName-is-in functions > > Steven, > > Thanks for spotting. I agree, the identifiers should be removed. > > Best regards, > Erik > > On 2011-03-29 05:01, Steven Legg wrote: >> Section 10.2.8 of the XACML 3.0 core specification (CS-01) lists >> urn:oasis:names:tc:xacml:2.0:function:ipAddress-is-in and >> urn:oasis:names:tc:xacml:2.0:function:dnsName-is-in as mandatory >> to implement functions. The type-is-in functions are described in >> appendix A.3.10 in terms of a corresponding >> urn:oasis:names:tc:xacml:x.x:function:type-equal function, however >> the necessary ipAddress-equal and dnsName-equal functions have not >> been defined. >> >> Judging from the archives there is no intention of defining the >> ipAddress-equal and dnsName-equal functions, in which case the >> ipAddress-is-in and dnsName-is-in function identifiers should be >> removed. >> >> Regards, >> Steven >> >