[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

rules for SPKI <auth> field comparisons

We need to define a mechanism to be used by those who define new <auth> 
fields so that they can describe the sorting order for their fields.  We 
could fall back on the generality of a full programming language, as 
PolicyMaker does, but that feels like a cop-out to me.  If we can't define 
this simply, then we're probably putting too much burden on the average 
definer of <auth> fields (e.g., some sysadmin who has come up with a new 
privilege she wants to allocate to keyholders).

Does anyone have a preference here?

I'm inclined to describe ordering the way one gives parameters to a sort 
command:  specify the order in which parameter fields are to be checked; 
whether each field is numeric, alphanumeric or pathname; whether each field 
is normal or inverted order; whether the fields must be = to be compared 
(e.g., as in account numbers).

It's clear that a full programming language is necessary for really complex 
<auth> statements, and I'm planning to propose that in the new draft, but 
for run of the mill <auth> statements, I'd like to avoid plunging the author 
into programming.  Specifically, I'd like to offer three levels of <auth> 

1) (the default): verb must be equal, parameters must be equal if present 
but a missing parameter is assumed to include a present one.  All fields are 
taken to be alpha-numeric.

	e.g., "checking" > "checking 02-345-67"

2) (next level): sysadmin can provide a file of defined <auth> fields with 
explicit comparison rules.  Fields can be A) alphabetic, AN) alphanumeric, 
N) numeric.

	bank > bank A1
	bank A1 > checking A1
	checking A1 <> checking A2, if A1 <> A2
	checking A1 > checking A1 AN2
	checking A1 AN2 <> checking A1 AN3, if AN2 <> AN3
	checking A1 AN2 > checking A1 AN2 N3
	checking A1 AN2 N3 > checking A1 AN2 N4, if N3 > N4

3) (final): sysadmin can provide a program in some language (PolicyMaker's 
awkward?) which performs comparisons among <auth> fields with arbitrary 

 - Carl

|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |