OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] New issue#1 from "Boolean Policy resolution"

Title: RE: [xacml] New issue#1 from "Boolean Policy resolution"

While I understand that you are proposing that "n/a" is effectively ignored, I can't agree with it.

The question being asked is should access be granted. In this case, the policy administrator has written a rule that implies that both predicates must allow access before the requester is granted access; however, policy administrator has referenced policy that does not apply. In security and access control system, it is better to error on the side of caution and not grant access if there is any uncertainty.


t AND n/a = n/a
t AND n/a = f

James



-----Original Message-----
From: Polar Humenn [mailto:polar@syr.edu]
Sent: February 11, 2002 9:48 AM
To: bill parducci
Cc: XACML TC
Subject: Re: [xacml] New issue#1 from "Boolean Policy resolution"


On Fri, 8 Feb 2002, bill parducci wrote:

> >>...which in the context of granting access is the functional equivalent
> >>of setting N/A = TRUE.
> >>
> >>t + n/a = t
> >>
> >
> > Not so, the semantics is that the policy does not apply.
> > We are working with a 3 valued logic (4 if we include evaulation error).
> >
> > f or n/a = f,  (i.e. n/a is not "set" to "true").
> >
>
>
> help me understand this, evaluating the following using this logic
>
>
> t AND n/a
>
> is reduced to
>
> t
>
> which evaluates to TRUE. therefore,
>
> t AND n/a = t
>
> bottom line: if 'n/a' means 'do not consider when resolving' it
> evalutates to TRUE when used in an AND clause in terms of *functional*
> equivalency. can you give me an exmaple otherwise?

In the proposed logic,

t AND t = t
t AND n/a = t

However, that does NOT mean that for

t AND x = t

x must be t (in this logic). For an analogous example in classical logic,
Take implication =>

t => t = t
t => f = f
f => t = t
f => f = t

x => t = t does not force x to be t
f => x = t does not force x to be t.

n/a is n/a. It is a separate entity.

cheers,
-Polar

>
> b
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC