OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  Typos in the XACML 2.0 standard?

    Posted 07-15-2008 08:42
    All,
    
    The dnsName and ipAddress datatypes are missing from the list of data 
    types identifiers in the conformance section. Their corresponding bag 
    functions as missing as well (type-one-and-only, etc).
    
    Unless there are objections, I will update the errata and the next 3.0 
    working draft by adding the following identifiers:
    
    urn:oasis:names:tc:xacml:2.0:data-type:ipAddress
    urn:oasis:names:tc:xacml:2.0:data-type:dnsName
    
    urn:oasis:names:tc:xacml:2.0:function:ipAddress-one-and-only
    urn:oasis:names:tc:xacml:2.0:function:dnsName-one-and-only
    urn:oasis:names:tc:xacml:2.0:function:ipAddress-bag-size
    urn:oasis:names:tc:xacml:2.0:function:dnsName-bag-size
    urn:oasis:names:tc:xacml:2.0:function:ipAddress-is-in
    urn:oasis:names:tc:xacml:2.0:function:dnsName-is-in
    urn:oasis:names:tc:xacml:2.0:function:ipAddress-bag
    urn:oasis:names:tc:xacml:2.0:function:dnsName-bag
    
    Note that I am using "2.0" in the identifiers since they are for 2.0 
    data types, although the general section on bag functions just mentions 
    "1.0". I think that section should also be updated.
    
    For instance, it says:
    
    · urn:oasis:names:tc:xacml:1.0:function:type-one-and-only
    This function SHALL take a bag of ‘type’ values as an argument and SHALL 
    return a value
    of ‘-type’. It SHALL return the only value in the bag. If the bag does 
    not have one and only
    one value, then the expression SHALL evaluate to "Indeterminate".
    
    It should say urn:oasis:names:tc:xacml:X.X:function:type-one-and-only, 
    as it already says in other similar places.
    
    For the other data types there are also set functions, such as union, 
    intersection, etc. There are no set functions on dnsName and ipAddress 
    in the list of function identifiers. I am not sure if that is by design 
    or by mistake. The definitions of the set functions depend on the 
    definition of the -equal function for the particular data type. But, 
    there are no -equal functions defined for ipAddress and dnsName. There 
    are -regexp-match for them though, so it might be by design. I suspect 
    that it's a mistake. If so, the following identifiers need to be added 
    as well:
    
    urn:oasis:names:tc:xacml:2.0:function:ipAddress-equal
    urn:oasis:names:tc:xacml:2.0:function:dnsName-equal
    
    urn:oasis:names:tc:xacml:2.0:function:ipAddress-intersection
    urn:oasis:names:tc:xacml:2.0:function:dnsName-intersection
    urn:oasis:names:tc:xacml:2.0:function:ipAddress-at-least-one-member-of
    urn:oasis:names:tc:xacml:2.0:function:dnsName-at-least-one-member-of
    urn:oasis:names:tc:xacml:2.0:function:ipAddress-union
    urn:oasis:names:tc:xacml:2.0:function:dnsName-union
    urn:oasis:names:tc:xacml:2.0:function:ipAddress-subset
    urn:oasis:names:tc:xacml:2.0:function:dnsName-subset
    urn:oasis:names:tc:xacml:2.0:function:ipAddress-set-equals
    urn:oasis:names:tc:xacml:2.0:function:dnsName-set-equals
    
    Regards,
    Erik
    
    
    


  • 2.  Re: [xacml] Typos in the XACML 2.0 standard?

    Posted 07-15-2008 13:54
    On Jul 15, 2008, at 1:41 AM, Erik Rissanen wrote:
    >
    > For the other data types there are also set functions, such as  
    > union, intersection, etc. There are no set functions on dnsName and  
    > ipAddress in the list of function identifiers. I am not sure if that  
    > is by design or by mistake. The definitions of the set functions  
    > depend on the definition of the -equal function for the particular  
    > data type. But, there are no -equal functions defined for ipAddress  
    > and dnsName. There are -regexp-match for them though, so it might be  
    > by design. I suspect that it's a mistake. If so, the following  
    > identifiers need to be added as well:
    
    
    Reaching back into my not so reliable memory leads me to believe this  
    was by design. dnsName and ipAddress regex matches serve as the  
    equality functions for these types. In this case where an exact match  
    is desired the parameter would be expressed as a literal regex  
    expression ("foo\.bar\.blah").
    
    I seem to recall that this was done to allow for broader definitions  
    than single IP addresses or hostnames in a consistent manner ("???\.bar 
    \.blah", etc.)
    
    b