HERAS-AF Forum
Welcome, Guest. Please login or register.
Did you miss your activation email?
May 20, 2012, 11:15:41 am

Login with username, password and session length
Search:     Advanced search
Welcome to the HERAS-AF Forum...
373 Posts in 89 Topics by 272 Members
Latest Member: Jasmine
* Home Help Search Login Register
+  HERAS-AF Forum
|-+  HERAS-AF
| |-+  XACML (Moderator: Florian Huonder)
| | |-+  "Abandoned" Obligations		 « previous next »
Pages: [1] Print
Author Topic: "Abandoned" Obligations  (Read 1184 times)
Wolfgang Giersche
Newbie
*
Posts: 6



View Profile
« on: September 28, 2008, 10:59:58 am »
I'm just going through the RSA Interop document and found a neat issue in the pseudo-code on page 21 that makes me wonder.
If you have a deny-overrides algorithm for a policy set and already found a denying policy amongst the child policies, would you really be interested in picking up obligations from other policies that simply don't matter otherwise? in the pseudo-code, it appears on line 581, that in fact the creator of the scenario is not interested in the obligation of one of the "abandoned" policies. I got the impression that the spec is missing essentials semantics here. I understand, however, that unordered combining algorithms would render indeterministic in case of "abandoned" obligations.
Logged
Wolfgang Giersche
Newbie
*
Posts: 6



View Profile
« Reply #1 on: September 28, 2008, 11:08:18 am »
reading further in the interop paper, the cautionary note implies that there's actually confusion about the correct behavior. Flo has analyzed the spec and found that obligation MUST NOT be "abandoned". I support that point of view.
Logged
Florian Huonder
Administrator
Full Member
*****
Posts: 129



View Profile WWW
« Reply #2 on: September 30, 2008, 10:50:22 am »
I fully agree with your point of view.
In my eyes the spec clearly says that all obligations, including the ones from abandoned policies must be included in the response.

But the question really is whether it is desirable if obligations of abandoned policies should be included.

I think that there are two possible scenarios:
  • Obligations from abandoned policies are not included in the response. But that does only make sense in case of ordered combining algorithms. Otherwise the outcome is random.
  • Obligations from abandoned policies are included in the response. In this case ordered and unordered combining algorithms can be treated the same. But this approach would have an impact on the performance of an evaluation.

To conclude:
Both approaches make sense. But clarification is needed. None of these has a really drawback to the other (except of the performance loss in the second one). Depending on the chosen approach, the policies, maybe, must be designed in another way.
I am sure that it is possible to reach the same outcome with both approaches.
Logged
Florian Huonder
Administrator
Full Member
*****
Posts: 129



View Profile WWW
« Reply #3 on: November 20, 2008, 08:36:09 am »
Because it is not 100% clear how Obligations (at least in XACML 2.0) should be handled (return abandoned Obligations or don't) I ask myself how we should implement it in out XACML-Implementation.

With the issue http://jira.herasaf.org/browse/XACMLIMPL-8 we are planning to implement the Obligations functionality.

I think the best way to handle this unclarity is to make it configurable and the user of the XACML-Implementation then has to choose how he or she wants the handle the Obligations.
I think the default value should be "include all Obligations (also from abandoned policies)" because, according to the prior thread-entry, in my eyes the XACML-2.0-Specification says that all must be included.

Another approach would be to decide for one approach.
Logged
Pages: [1] Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines Valid XHTML 1.0! Valid CSS!