[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
rules for SPKI <auth> field comparisons
We need to define a mechanism to be used by those who define new <auth>
fields so that they can describe the sorting order for their fields. We
could fall back on the generality of a full programming language, as
PolicyMaker does, but that feels like a cop-out to me. If we can't define
this simply, then we're probably putting too much burden on the average
definer of <auth> fields (e.g., some sysadmin who has come up with a new
privilege she wants to allocate to keyholders).
Does anyone have a preference here?
I'm inclined to describe ordering the way one gives parameters to a sort
command: specify the order in which parameter fields are to be checked;
whether each field is numeric, alphanumeric or pathname; whether each field
is normal or inverted order; whether the fields must be = to be compared
(e.g., as in account numbers).
It's clear that a full programming language is necessary for really complex
<auth> statements, and I'm planning to propose that in the new draft, but
for run of the mill <auth> statements, I'd like to avoid plunging the author
into programming. Specifically, I'd like to offer three levels of <auth>
complication:
1) (the default): verb must be equal, parameters must be equal if present
but a missing parameter is assumed to include a present one. All fields are
taken to be alpha-numeric.
e.g., "checking" > "checking 02-345-67"
2) (next level): sysadmin can provide a file of defined <auth> fields with
explicit comparison rules. Fields can be A) alphabetic, AN) alphanumeric,
N) numeric.
bank > bank A1
bank A1 > checking A1
checking A1 <> checking A2, if A1 <> A2
checking A1 > checking A1 AN2
checking A1 AN2 <> checking A1 AN3, if AN2 <> AN3
checking A1 AN2 > checking A1 AN2 N3
checking A1 AN2 N3 > checking A1 AN2 N4, if N3 > N4
3) (final): sysadmin can provide a program in some language (PolicyMaker's
awkward?) which performs comparisons among <auth> fields with arbitrary
interpretations.
- Carl
+------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+------------------------------------------------------------------+
Follow-Ups: