Re: Policy alternatives, negation, [Non]AnonResponse assertion and the none URI

> Anish Karmarkar wrote: Ashok,
>
> So you are saying (I'm rephrasing to get clarity) that:
>
>     "... does not apply .." => one MUST NOT do whatever the missing
>     assertion asked one to do.
>
> Right?

mm1: There has been discussion in WS-Policy to separate do not apply 
from restricted from applying (one is a general statement of intent and 
the latter a restriction from action).  The initial feedback of the 
discussion is that this interpretation (restriction from action alluded 
to by Ashok) may not be the Framework definition.

We are also discussing the separation of the input policy vocabularies 
and those expressed in the resultant policy. Again, it may be premature 
to assume the outcome. Thanks.

> karmarkar: If so, the spec needs to be clarified to make it clear. 
> This was not clear to a lot of folks on WS-Addressing.
> Additionally, does this negation effect apply to only top-level 
> assertions or nested assertions as well. IOW, are nested assertions 
> part of the vocabulary.
>
> One not obvious (not to me) side-effect of this 'negation' is the 
> following:
>
> Consider the scenario where two very complicated polices are created 
> by the IT department. Let's call them P1 and P2. I'm required to use 
> P1 or P2 on services that are exposed outside the firewall. P1 
> contains an assertion A that is absent in P2. If I advertise P1 only 
> then I have to do whatever A asks me to do. If I advertise P2 only, I 
> may or may not use A (as it is not part of the vocabulary) -- it is up 
> to me. If I advertise a policy that says either of P1 or P2 and P2 is 
> selected, I cannot use A. This is very surprising (at least to me). 
> This does not follow the 'principle of least surprise'. "OR"ing 
> operation in other contexts does not introduce negation based on 
> vocabulary set. I'm curious as to the rationale for this. In any case, 
> guidance and clarification in the spec or the primer would be very 
> useful.
> -Anish
>
>> Ashok Malhotra wrote:  If you have a Policy that says Assertion A and 
>> B then you have to do A and B.  Since it says nothing about C, you 
>> may or may not do C.  However, if A,B and C are all in the Policy 
>> Vocabulary (the assertions contained in the Policy) and you select an 
>> alternative from the Policy that contains only A and B, you may not 
>> do C.  Thus, it is a form of negation.
>>
>> All the best, Ashok
>

Received on Monday, 23 April 2007 19:23:21 UTC