Policy operators: Clarify where the combination rules apply #129
Comments
|
Agreed that we should clarify this in the spec. |
|
If you choose to clarify this, I would suggest that you could simplify the specification by removing consistency checks altogether and replace this with a very simple validation algorithm when processing metadata. We do this in our implementation. And it works with 100% consistent end result. This is our simplified processing order:
Note: If this simple process is used. Any inconsistency in policy values will lead to a failure in step 4. This is simply that it will be impossible to meet the merged policy if it has conflicting values. This provides much simpler code. In the end, the standard should only describe the rules that determines what is valid and what is not. Whether an implementation is doing this using our algorithm above, or is doing this using consistency checks should be an implementers choice. Describing details of how to do a consistency check is therefore redundant in the standard. It should simply be enough to explain why certain combination of policies inevitably will lead to validation failure. The only rule that MUST be described is the order of value modifiers. |
The current spec (draft 40) says the combination rules apply to a single metadata parameter policy. However, they also apply when statements are merged.
https://openid.net/specs/openid-federation-1_0.html#section-6.1.3
"Metadata parameter policy" is defined in https://openid.net/specs/openid-federation-1_0.html#section-6.1.2.
Also note, for federation architects and in view of PR #112, that not all allowed combination make sense to be used in a single metadata parameter policy, but to enable the merge of policy statements from different entities.
The text was updated successfully, but these errors were encountered: