OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
Back to discussions
Expand all | Collapse all

10. Parameters for Combining Algorithms

  • 1.  10. Parameters for Combining Algorithms

    Posted 10-27-2003 17:59 
     MHonArc v2.5.0b2 -->

















    xacml message
    







    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [List Home]
    


    







    Subject: 10. Parameters for Combining Algorithms
    







    



    This is an attempt to capture issues raised during the discussion
of this item for future reference.  Note that the item has been
closed for 2.0 in favor of solving the problem using XACML
Extension Points (#11).

Proposal: http://lists.oasis-open.org/archives/xacml/200305/msg00014.html

1. Any new "paramters" element needs to be scoped so that it does
   not become a "kitchen sink" (used for arbitrary data and
   semantics that are difficult to control and reconcile with
   future versions of standard XACML).
2. This changes the evaluation of combining algorithms: now
   sub-policies or rules must be evaluated in order to see if
   they contain parameters.  Previously, the combining algorithm
   did not depend on evaluation of sub-policies or rules.
3. If parameters were limited to use with Rule Combining
   Algorithms, they would be easier to apply, since there are no
   references to external rules and all the rule content is local
   to the Policy document.
4. Would need to define how to deal with missing paramters or a
   mismatch between parameters and the signature of the combining
   algorithm.
5. If parameters are included in Policies, those Policies may be
   referenced from multiple PolicySets, each with its own
   combining algorithm.  Not all of the combining algorithms may
   expect the same parameters in the same order.
6. Parameters could be added via a new XACML schema extension.
   Such an extension would not parse as valid XACML (since XACML
   does not define schema extension points).  This is not a
   problem because only PDPs that had been modified to understand
   the semantics of the new combining algorithms would be able to
   handle the new policies anyway - when a PDP was modified to
   handle the new combining algorithm, it could be modified to
   handle the new schema.
7. The functionality of parameters used only for ordering or
   precedence can be handled by using one of the "ordered" forms
   of the standard combining algorithms and ordering the rules or
   policies as desired when composing the policy document.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


    





    






    


    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [List Home]


Related Content