Network Working Group L. Bartz Internet Draft Internal Revenue Service Expires June, 2003 December, 2002 Logically Succinct Basic Policy Rule Components < draft-bartz-lsb-policy-rule-components-00.txt > Status of this Memo This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract Logically Succinct Basic Policy Rule Components (LSBPRC) provides model extensions to the Policy Core Information Model (PCIM) and implementable extensions to the Policy Core LDAP Schema (PCLS) in which the logic of conditions and actions can be succinctly expressed and explicitly interpreted. LSBPRC offers a direct and invariant connection between the rule designer's intention and the rule interpreter's evaluation of the rulebase. Bartz [Page 1] INTERNET-DRAFT LSBPRC December, 2002 Table of Contents 1. Introduction 2. LSBPRC Information Model 2.1. Design Goals 2.2. Operands of Logical Operations 2.2.1. Operands of Comparison Operations 2.2.2. Operands of Assignment Operations 2.2.3. RHS Operand Families 2.2.3.1. Specified Operands 2.2.3.2. Computed Operands 2.2.3.2.1. Dynamic Operand 2.2.3.2.2. LDAP URL Value Operand 2.3. Logical Operations 2.3.1. Conditions as Comparison Operations 2.3.2. Actions as Assignment Operations 2.3.2.1. Assignment Modes 2.3.3. Actions as Invokers of Computational Resources 3. LSBPRC Directory Schema 3.1. LSBPRC Family Objectclasses 3.1.1. lsbCondition 3.1.2. lsbAction 3.2. LSBPRC Attributetypes 3.2.1. Named Operand 3.2.2. Specified Operands 3.2.2.1. String Operand 3.2.2.2. Integer Operand 3.2.2.3. Float Operand 3.2.2.4. Boolean Operand 3.2.2.5. BitString Operand 3.2.2.6. OctetString Operand 3.2.3. Computed Operands 3.2.3.1. Dynamic Operand Value Operand 3.2.3.2. LDAP URL Value Operand 3.2.4. Utility Attributes 3.2.4.1. String Ignore Case Flag 3.2.4.2. String Concatenation Delimiter 3.2.4.3. Assignment Mode 3.3. LSBPRC Implementable Objectclasses 3.3.1. LSBPRC Condition Components 3.3.1.1. String Comparison Operations 3.3.1.1.1. String Equality 3.3.1.1.2. String GreaterThan 3.3.1.1.3. String LessThan 3.3.1.1.4. String Length Equality 3.3.1.1.5. String Length GreaterThan 3.3.1.1.6. String Length LessThan 3.3.1.1.7. String BeginsWith Bartz [Page 2] INTERNET-DRAFT LSBPRC December, 2002 3.3.1.1.8. String EndsWith 3.3.1.1.9. String Contains 3.3.1.1.10. String Exists 3.3.1.2. Integer Comparison Operations 3.3.1.2.1. Integer Equality 3.3.1.2.2. Integer GreaterThan 3.3.1.2.3. Integer LessThan 3.3.1.2.4. Integer Exists 3.3.1.3. Float Comparison Operations 3.3.1.3.1. Float Equality 3.3.1.3.2. Float GreaterThan 3.3.1.3.3. Float LessThan 3.3.1.3.4. Float Exists 3.3.1.4. Boolean Comparison Operations 3.3.1.4.1. Boolean Equality 3.3.1.5. BitString Comparison Operations 3.3.1.5.1. Bit Value Equality 3.3.1.5.2. Bit Value GreaterThan 3.3.1.5.3. Bit Value LessThan 3.3.1.5.4. BitString Exists 3.3.1.6. Delegated Comparison Operations 3.3.1.6.1. Delegation to Distributed Object 3.3.2. LSBPRC Action Components 3.3.2.1. String Assignment Operations 3.3.2.1.1. String Assignment 3.3.2.1.2. String Concatenation 3.3.2.2. Integer Assignment Operations 3.3.2.2.1. Integer Assignment 3.3.2.2.2. Integer PlusEquals 3.3.2.2.3. Integer MinusEquals 3.3.2.2.4. Integer MultEquals 3.3.2.2.5. Integer DivEquals 3.3.2.2.6. Integer ModuloEquals 3.3.2.3. Float Assignment Operations 3.3.2.3.1. Float Assignment 3.3.2.3.2. Float PlusEquals 3.3.2.3.3. Float MinusEquals 3.3.2.3.4. Float MultEquals 3.3.2.3.5. Float DivEquals 3.3.2.3.6. Float ModuloEquals 3.3.2.4. Boolean Assignment Operations 3.3.2.4.1. Boolean Assignment 3.3.2.5. BitString Assignment Operations 3.3.2.5.1. Bitwise Shift Left 3.3.2.5.2. Bitwise Shift Right 3.3.2.5.3. Bitwise Shift Right Zero-fill 3.3.2.5.4. Bitwise AND 3.3.2.5.5. Bitwise OR Bartz [Page 3] INTERNET-DRAFT LSBPRC December, 2002 3.3.2.5.6. Bitwise XOR 3.3.2.5.7. Bitwise OnesComplement 3.3.2.6. Delegated Assignment Operations 3.3.2.6.1. Delegation to Distributed Object 3.3.2.7. Delegated Action to Computing Resource 3.3.2.7.1. Delegation to Distributed Object 3.3.3. LSBPRC Policy Alias 4. Security Considerations 5. Intellectual Property 6. Acknowledgements 7. References 8. Author's Address 9. Full Copyright Statement 1. Introduction Logically Succinct Basic Policy Rule Components (LSBPRC) provides model extensions to PCIM [1] and implementable extensions to PCLS [2] in which the logic of conditions and actions can be succinctly expressed and explicitly interpreted. LSBPRC offers a direct and invariant connection between the rule designer's intention and the rule interpreter's evaluation of the rulebase. PCIM and PCLS each provide abstract, non-implementable definitions for the components of a rule; the condition and action components. LSBPRC provides explicit modeling of broad ranges of conditions as comparison operations, and of actions as assignment operations. LSBPRC also provides mechanisms by which policy actions may invoke computing resources which fulfill a rule's requirement for "action". LSBPRC's Directory [3,4,5] schema provides concrete, implementable objectclasses and attributetypes which realize the model. Expert Systems (ES) [6] is a discipline of the field of Artificial Intelligence (AI). ES is also commonly known as "rule-based AI". Among the many disciplines of AI, ES is widely acknowledged as one which has achieved a comparatively significant level of maturity, with readily accessible concepts, widely available software, and many successful and productive applications. The terminology and concepts of PCIM show a strong correspondence to the terminology and concepts of Expert Systems. There is no evidence in PCIM that this correspondence was deliberate. Nevertheless, the affinity of Policy for Expert Systems, even if unintentional, is strong. In PCIM, rules are composed of conditions and actions, just as in Expert Systems. The compositional nature of rules, in which conditions and actions are components, is common to both PCIM and Bartz [Page 4] INTERNET-DRAFT LSBPRC December, 2002 Expert Systems. Accordingly, the abstract compositional building blocks of PCIM and PCLS, when evaluated from the perspective of ES, are very familiar and compelling. LSBPRC is inspired, motivated, and informed by the concepts and patterns of Expert Systems. This is not to say that an Expert System is the only mechanism which is capable of using LSBPRC's information model and schema. Rather, that Expert Systems strategies and methodologies illuminate a path which leads to LSBPRC's concrete and implementable extensions of the PCIM and PCLS. In Expert Systems implementations, the comparison operators of conditional operations, the assignment operators of action operations, and the operators of action operations which activate or invoke computational resources are all integrated with the condition and action components. These operators of conditions and actions convey the rule designer's precise intentions. This precision empowers the rule evaluator ( the PDP, in the case of PCIM ), allowing the capability to faithfully execute the rule as it was designed. This is the foundational premise of LSBPRC; that the discipline of Expert Systems offers a "best practices" example for the expression, persistence, and evaluation of rules. Specifically, a rule is not defined unless the logic of its condition and action components is unequivocable. With the decision to explicitly support the comparison operators of conditions and the assignment and execution operators of actions concluded, the question of how many, and which operators arises. LSBPRC intends to serve as a general purpose model and as a vehicle for implementation of policy-based systems and applications, regardless of their particlar information and problem domains. Accordingly, LSBPRC explicitly supports a limited yet thorough set of operators which are generally useful. As a hedge, LSBPRC also supports "escape hatches", built-in mechanisms which allow implementors to define and invoke their own purpose-built condition and action operators as distributed objects. The choice of which condition and action operators are explicitly supported in LSBPRC is dependent upon evidence of "best practices". The choice of operators is drawn from primitive comparison and assignment operators implemented in programming languages such as C [9] and Java [10], and in scripting languages such as ECMAScript [11]. Again, the domain of Expert Systems reinforces this "best practices" evidence, as these common operators are generally supported as native functions. Unlike PCIM and PCLS, this document presents LSBPRC's information Bartz [Page 5] INTERNET-DRAFT LSBPRC December, 2002 model and Directory schema in one document. This is not to imply that the Directory schema is the only possible technical specification of LSBPRC's information components. Neither does it imply that the Directory is the only possible repository for the persistence of LSBPRC's information. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119, reference [7]. The key words "PDP" and "PEP" are to be interpreted as described in RFC 3060, reference [1]. NOTE: This draft is dependent upon a Work in Progress [2]. A subsequent version of this draft will reference [2] by its RFC when appropriate. 2. LSBPRC Information Model 2.1. Design Goals Goals which shaped the design of LSBPRC include: - provide concrete, immediately implementable and useful model and schema - provide model and schema for widely-applicable, general purpose rules, conditions, and actions - avoid dependence upon, or explicit support for, any particular application domain of rules, conditions, or actions - support capability for rule authors to explicitly define the logical comparison operations of conditions and the logical assignment operations of actions - support capability for rule interpreters to unequivocably evaluate and act upon the expressed intent of rule authors - explicitly define conditions as comparison operations - provide a broad range of comparison operations based upon comparison operations which are widely implemented and used Bartz [Page 6] INTERNET-DRAFT LSBPRC December, 2002 - explicitly define actions as assignment operations - provide a broad range of assignment operations based upon assignment operations which are widely implemented and used - leverage the rule expression, storage, and evaluation patterns of Expert Systems - define typesafe operands for the comparison operations of conditions and the assignment operations of actions - provide mechanism for using the results (assigned values) of rules as operands in other rules - provide built-in extension mechanisms to support conditions and actions which are not, should not, or cannot be defined in this model - provide explicit mechanisms which can invoke computing resources to fulfill a rule's requirements for "action" 2.2. Operands of Logical Operations LSBPRC defines conditions as comparison operations, and actions as assignment operations. The expression of an operation in this model requires an operator, which is a specific logical function, and operands, which are the information components with which the operator computes. The definitions of LSBPRC's logical operators are encapsulated as objectclass definitions, as described in sections 2.3 and 3.3 of this document. LSBPRC's operands are described here. LSBPRC explicitly supports six data types for operands of its logical operations. These are String, Integer, Float, Boolean, Bit String, and Octet String. To promote typesafety of logical operations, each general operand kind is represented by six type-specific instances. 2.2.1. Operands of Comparison Operations In the comparison operations of conditions, there are two categories of operands. First is the operand which represents the value which is the subject of the comparison. This is called the "Named Operand" of a comparison operation throughout this model. As with all other LSBPRC operand Bartz [Page 7] INTERNET-DRAFT LSBPRC December, 2002 kinds, Named Operand supports typesafety in logical operations. The statically-defined value is always a name, so it is expressed as a string value. The six instances of Named Operand designate, by their names and through the semantics of their definitions, the types of the values to which they refer. The Named Operand can be thought of as residing in the left-hand side (LHS) of a comparison operation. Second is the operand which constitutes the comparison criteria. The model nominates many specific attributetypes to serve this role. Each is known as a "Comparison Operand" of a comparison operation throughout this model. The Comparison Operand can be thought of as residing on the right-hand side (RHS) of a comparison operation. 2.2.2. Operands of Assignment Operations In the assignment operations of actions, there are two categories of operands. First is the operand to which value is assigned by the operation. This is called the "Named Operand" of an assignment operation in this model. As with all other LSBPRC operand kinds, Named Operand supports typesafety in logical operations. The statically-defined value is always a name, so it is expressed as a string value. The six instances of Named Operand designate, by their names and through the semantics of their definitions, the types of the values to which they refer. The Named Operand can be thought of as residing in the left-hand side (LHS) of an assignment operation. Second is the operand which represents the value to be assigned or a value from which the value to be assigned is computed. This model nominates many specific attributetypes to serve this role. Each is known as an "Assignment Operand" of an action operation throughout this model. The Assignment Operands can be thought of as residing on the right-hand side (RHS) of a comparison operation. 2.2.3. RHS Operand Families Comparison Operands and Assignment Operands are drawn from two families of operands, the Specified Operands and the Computed Operands. 2.2.3.1. Specified Operands Bartz [Page 8] INTERNET-DRAFT LSBPRC December, 2002 Specified Operands are typesafe. They represent the domain of constant and literal information types which are supported for comparison operations and and assignment operations in this model. The types include String, Integer, Float, Boolean, Bit String, and Octet String. Specified Operands provide the mechanism for expressing operands as constants or literal values in the logical operations of LSBPRC. 2.2.3.2. Computed Operands Computed Operands require some computation to reveal their values. LSBPRC defines two types of Computed Operand. 2.2.3.2.1. Dynamic Operand The static value of a Dynamic Operand is the name of a variable which is available to the PDP. This name MUST be dereferenced by the PDP so that the PDP may evaluate the operation using the runtime values which are associated with the statically-defined name. The dereferenced name/value-set could be a name/value-set which is provided to the PDP by the PEP, or a name/value-set which the PDP can glean from its own environment, or a name/value-set which which has been created or modified by another rule. Note that although a Dynamic Operand is single-valued ( one name of one variable ), the act of dereferencing a Dynamic Operand may reveal that the variable itself is multi-valued. Implementations which use Dynamic Operand MAY limit applicability to single-valued variables in order to simplify processing. Otherwise, implementations SHOULD iterate over all values of a multi-valued Dynamic Operand. Use of Dynamic Operand in which the name value designates a variable which is multi-valued is not defined for usage as Assignment Operand. As with all other LSBPRC operand kinds, Dynamic Operand supports typesafety in logical operations. The statically-defined value is always a name, so it is expressed as a string value. The six instances of Dynamic Operand designate, by their names and through the semantics of their definitions, the types of the values to which they refer. 2.2.3.2.2. LDAP URL Value Operand The static value of an LDAP URL Value Operand is an LDAP URL, as Bartz [Page 9] INTERNET-DRAFT LSBPRC December, 2002 defined in [8]. LSBPRC constrains the usage of LDAP URL for use in this model to forms in which one and ONLY one attribute is specified as the URL's search criteria. This LDAP URL MUST be dereferenced so that the PDP may evaluate the operation using the values which are associated with the statically-defined URL. Note that although an LDAP URL Value Operand is single-valued ( one URL which solicits values of one attribute ), the act of dereferencing an LDAP URL Value Operand may reveal that the variable itself is multi-valued. Implementations which use LDAP URL Value Operand MAY limit applicability to single-valued variables in order to simplify processing. Otherwise, implementations SHOULD iterate over all values of a multi-valued LDAP URL Value Operand. Use of LDAP URL Value Operand in which the solicited attribute designates an attribute which is multi-valued is not defined for usage as Assignment Operand. As with all other LSBPRC operand kinds, LDAP URL Value Operand supports typesafety in logical operations. The statically-defined value is always a URI, so it is expressed as a string value. The six instances of LDAP URL Value Operand designate, by their names and through the semantics of their definitions, the types of the values to which they refer. 2.3. Logical Operations 2.3.1. Conditions as Comparison Operations LSBPRC conditions are comparison operations which yield boolean results. Comparison operations are typesafe, by virtue their objectclass name and semantic description, and by the type specifications of their attributes. Many operator-specific and datatype-specific classes are defined in 3.3.1 and subordinate sections of this document. When the specified comparisons are not sufficient to satisfy an implementation's requirements, a rule may delegate the comparison operation to a distributed object, as described in 3.3.1.6. The delegated comparison operation is identified in the information model and in the Directory as per either RFC 2713 [13] or RFC 2714 [14]. NOTE: A subsequent version of this draft may specify Java [10] classes, Java interfaces, and CORBA IDL (Interface Definition Language) Bartz [Page 10] INTERNET-DRAFT LSBPRC December, 2002 [12] which are suitable for use in implementing these operations. 2.3.2. Actions as Assignment Operations LSBPRC actions are assignment operations which assign values to variables. Assignment operations are typesafe, by virtue their objectclass name and semantic description, and by the type specifications of their attributes. Many operator-specific and datatype-specific classes are defined in 3.3.1 and subordinate sections of this document. When the specified assignment operations are not sufficient to satisfy an implementation's requirements, a rule may delegate the assignment operation to a distributed object, as described in 3.3.2.6. The delegated assignment operation is identified in the information model and in the Directory as per either RFC 2713 [13] or RFC 2714 [14]. NOTE: A subsequent version of this draft may specify Java [10] classes, Java interfaces, and CORBA IDL (Interface Definition Language) [12] which are suitable for use in implementing these operations. 2.3.2.2. Assignment Modes LSBPRC supports several strategies for assigning values to variables. These include: - replace any/all Named Operand values by single value - augment multivalued Named Operand by additional value - modify all values of Named Operand by assignment operation - delete specified value from value set of Named Operand The attribute lsbActionAssignmentMode, implemented as an integer enumerator, indicates which strategy is specified for each assignment operation. See 3.2.4.3. 2.3.3. Actions as Invokers of Computational Resources Bartz [Page 11] INTERNET-DRAFT LSBPRC December, 2002 The Delegated Action component may invoke computing resources which fulfill a rule's requirement for "action". 3. LSBPRC Directory Schema NOTE: OIDs for the schema elements in this document have not been assigned. This note to be removed prior to publication. All uses of OIDs are indicated symbolically. For example, OID-OC.1 is a placeholder that will be replaced by a real OID before publication. 3.1. LSBPRC Family Objectclasses 3.1.1. lsbCondition objectclass ( OID-OC.1 NAME 'lsbCondition' DESC 'Class from which all lsb Condition classes inherit. Subtypes specify logically succinct comparison operations in which the value of a Named Operand is evaluated with respect to the value of Comparison Operand. The comparison operation yields a boolean result.' SUP pcimConditionAuxClass AUXILIARY ) 3.1.2. lsbAction objectclass ( OID-OC.2 NAME 'lsbAction' DESC 'Class from which all lsb Action classes inherit. Subtypes specify logically succinct assignment operations in which the value of a Named Operand is assigned using the value of an Assignment Operand.' SUP pcimActionAuxClass AUXILIARY ) 3.2. LSBPRC Attributetypes Bartz [Page 12] INTERNET-DRAFT LSBPRC December, 2002 3.2.1. Named Operand attributetype ( OID-AT.1 NAME 'lsbOperandNamedStr' DESC 'The Named Operand of a logical comparison or assignment operation. In a Condition, it is the subject of the comparison operation. In an Action, it is the target of the assignment operation. This Named Operand type represents a variable which possesses some value(s) of type String.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SINGLE-VALUE USAGE userApplications ) attributetype ( OID-AT.2 NAME 'lsbOperandNamedInt' DESC 'The Named Operand of a logical comparison or assignment operation. In a Condition, it is the subject of the comparison operation. In an Action, it is the target of the assignment operation. This Named Operand type represents a variable which possesses some value(s) of type Integer.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SINGLE-VALUE USAGE userApplications ) attributetype ( OID-AT.3 NAME 'lsbOperandNamedFloat' DESC 'The Named Operand of a logical comparison or assignment operation. In a Condition, it is the subject of the comparison operation. In an Action, it is the target of the assignment operation. This Named Operand type represents a variable which possesses some value(s) of type Float.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SINGLE-VALUE USAGE userApplications ) Bartz [Page 13] INTERNET-DRAFT LSBPRC December, 2002 attributetype ( OID-AT.4 NAME 'lsbOperandNamedBitStr' DESC 'The Named Operand of a logical comparison or assignment operation. In a Condition, it is the subject of the comparison operation. In an Action, it is the target of the assignment operation. This Named Operand type represents a variable which possesses some value(s) of type Bit String.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SINGLE-VALUE USAGE userApplications ) attributetype ( OID-AT.5 NAME 'lsbOperandNamedBool' DESC 'The Named Operand of a logical comparison or assignment operation. In a Condition, it is the subject of the comparison operation. In an Action, it is the target of the assignment operation. This Named Operand type represents a variable which possesses some a value of type Boolean.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SINGLE-VALUE USAGE userApplications ) attributetype ( OID-AT.6 NAME 'lsbOperandNamedOctStr' DESC 'The Named Operand of a logical comparison or assignment operation. In a Condition, it is the subject of the comparison operation. In an Action, it is the target of the assignment operation. This Named Operand type represents a variable which possesses some value(s) of type Octet String.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SINGLE-VALUE USAGE userApplications ) 3.2.2. Specified Operands Bartz [Page 14] INTERNET-DRAFT LSBPRC December, 2002 3.2.2.1. String Operand attributetype ( OID-AT.7 NAME 'lsbOperandSpecStr' DESC 'String value of the operand with which the Named Operand of a condition is compared or with which the Named Operand of an action is assigned. In lsbCondition types, this is a Comparison Operand. In lsbAction types, this is an Assignment Operand.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SINGLE-VALUE USAGE userApplications ) 3.2.2.2. Integer Operand attributetype ( OID-AT.9 NAME 'lsbOperandSpecInt' DESC 'Integer value of the operand with which the Named Operand of a condition is compared or with which the Named Operand of an action is assigned. In lsbCondition types, this is a Comparison Operand. In lsbAction types, this is an Assignment Operand.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 EQUALITY integerMatch ORDERING integerOrderingMatch SINGLE-VALUE USAGE userApplications ) 3.2.2.3. Float Operand attributetype ( OID-AT.11 NAME 'lsbOperandSpecFloat' DESC 'Floating point value of the operand with which the Named Operand of a condition is compared or with which the Named Operand of an action is assigned. There is no floating point attribute type defined for the Directory. Implementors should adhere to common representations of floating point values, such as such as 765.482 or 7.65482e+2. In lsbCondition types, this is a Comparison Operand. In lsbAction types, this is an Assignment Operand.' Bartz [Page 15] INTERNET-DRAFT LSBPRC December, 2002 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SINGLE-VALUE USAGE userApplications ) 3.2.2.4. Boolean Operand attributetype ( OID-AT.13 NAME 'lsbOperandSpecBool' DESC 'Boolean value of the operand with which the Named Operand of a condition is compared or with which the Named Operand of an action is assigned. In lsbCondition types, this is a Comparison Operand. In lsbAction types, this is an Assignment Operand.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 EQUALITY booleanMatch SINGLE-VALUE USAGE userApplications ) 3.2.2.5. BitString Operand attributetype ( OID-AT.15 NAME 'lsbOperandSpecBitStr' DESC 'Bit String value of the operand with which the Named Operand of a condition is compared or with which the Named Operand of an action is assigned. In lsbCondition types, this is a Comparison Operand. In lsbAction types, this is an Assignment Operand.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 EQUALITY bitStringMatch SINGLE-VALUE USAGE userApplications ) 3.2.2.6. OctetString Operand attributetype ( OID-AT.17 NAME 'lsbOperandSpecOctStr' DESC 'Octet String value of the operand with which the Named Bartz [Page 16] INTERNET-DRAFT LSBPRC December, 2002 Operand of a condition is compared or with which the Named Operand of an action is assigned. In lsbCondition types, this is a Comparison Operand. In lsbAction types, this is an Assignment Operand.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SINGLE-VALUE USAGE userApplications ) 3.2.3. Computed Operands 3.2.3.1. Dynamic Operand Value Operand attributetype ( OID-AT.19 NAME 'lsbOperandDynStr' DESC 'Name of an operand, the value of which is used in comparison or assignment operations. In lsbCondition types, this is a Comparison Operand. The values of the dereferenced operand name constitute the domain of values with which the Named Operand is compared. Comparison operations are obligated to iterate over all values of the Comparison operand. In lsbAction types, this is an Assignment Operand. Use of multivalued Assignment Operands is undefined. This Dynamic Operand type represents a variable which possesses some value(s) of type String.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SINGLE-VALUE USAGE userApplications ) attributetype ( OID-AT.21 NAME 'lsbOperandDynInt' DESC 'Name of an operand, the value of which is used in comparison or assignment operations. In lsbCondition types, this is a Comparison Operand. The values of the dereferenced operand name constitute the domain of values with which the Named Operand is compared. Comparison operations are obligated to iterate over all values of the Comparison operand. In lsbAction types, this is an Assignment Operand. Use of multivalued Assignment Operands is undefined. This Dynamic Bartz [Page 17] INTERNET-DRAFT LSBPRC December, 2002 Operand type represents a variable which possesses some value(s) of type Integer.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SINGLE-VALUE USAGE userApplications ) attributetype ( OID-AT.23 NAME 'lsbOperandDynFloat' DESC 'Name of an operand, the value of which is used in comparison or assignment operations. In lsbCondition types, this is a Comparison Operand. The values of the dereferenced operand name constitute the domain of values with which the Named Operand is compared. Comparison operations are obligated to iterate over all values of the Comparison operand. In lsbAction types, this is an Assignment Operand. Use of multivalued Assignment Operands is undefined. This Dynamic Operand type represents a variable which possesses some value(s) of type Float.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SINGLE-VALUE USAGE userApplications ) attributetype ( OID-AT.25 NAME 'lsbOperandDynBitStr' DESC 'Name of an operand, the value of which is used in comparison or assignment operations. In lsbCondition types, this is a Comparison Operand. The values of the dereferenced operand name constitute the domain of values with which the Named Operand is compared. Comparison operations are obligated to iterate over all values of the Comparison operand. In lsbAction types, this is an Assignment Operand. Use of multivalued Assignment Operands is undefined. This Dynamic Operand type represents a variable which possesses some value(s) of type Bit String.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SINGLE-VALUE USAGE userApplications ) Bartz [Page 18] INTERNET-DRAFT LSBPRC December, 2002 attributetype ( OID-AT.27 NAME 'lsbOperandDynBool' DESC 'Name of an operand, the value of which is used in comparison or assignment operations. In lsbCondition types, this is a Comparison Operand. The values of the dereferenced operand name constitute the domain of values with which the Named Operand is compared. Comparison operations are obligated to iterate over all values of the Comparison operand. In lsbAction types, this is an Assignment Operand. Use of multivalued Assignment Operands is undefined. This Dynamic Operand type represents a variable which possesses a value of type Boolean.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SINGLE-VALUE USAGE userApplications ) attributetype ( OID-AT.29 NAME 'lsbOperandDynOctStr' DESC 'Name of an operand, the value of which is used in comparison or assignment operations. In lsbCondition types, this is a Comparison Operand. The values of the dereferenced operand name constitute the domain of values with which the Named Operand is compared. Comparison operations are obligated to iterate over all values of the Comparison operand. In lsbAction types, this is an Assignment Operand. Use of multivalued Assignment Operands is undefined. This Dynamic Operand type represents a variable which possesses some value(s) of type Octet String.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SINGLE-VALUE USAGE userApplications ) 3.2.3.2. LDAP URL Value Operand attributetype ( OID-AT.31 NAME 'lsbOperandValueLDAPURLStr' DESC 'RFC 2255 LDAP URL which returns values of a single attribute. In lsbCondition types, this is a Comparison Operand. The values returned by the LDAP operation constitute the domain of values with which the Named Operand Bartz [Page 19] INTERNET-DRAFT LSBPRC December, 2002 is compared. Comparison operations are obligated to iterate over all values of the Comparison Operand. In lsbAction types, this is an Assignment Operand. Use of multivalued Assignment Operands is undefined. This LDAP URL Value Operand represents an LDAP URL which, when dereferenced, returns one or more values which are of type String.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SINGLE-VALUE USAGE userApplications ) attributetype ( OID-AT.33 NAME 'lsbOperandValueLDAPURLInt' DESC 'RFC 2255 LDAP URL which returns values of a single attribute. In lsbCondition types, this is a Comparison Operand. The values returned by the LDAP operation constitute the domain of values with which the Named Operand is compared. Comparison operations are obligated to iterate over all values of the Comparison Operand. In lsbAction types, this is an Assignment Operand. Use of multivalued Assignment Operands is undefined. This LDAP URL Value Operand represents an LDAP URL which, when dereferenced, returns one or more values which are of type Integer.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SINGLE-VALUE USAGE userApplications ) attributetype ( OID-AT.35 NAME 'lsbOperandValueLDAPURLFloat' DESC 'RFC 2255 LDAP URL which returns values of a single attribute. In lsbCondition types, this is a Comparison Operand. The values returned by the LDAP operation constitute the domain of values with which the Named Operand is compared. Comparison operations are obligated to iterate over all values of the Comparison Operand. In lsbAction types, this is an Assignment Operand. Use of multivalued Assignment Operands is undefined. This LDAP URL Value Operand represents an LDAP URL which, when dereferenced, returns one or more values which are of type Float.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch Bartz [Page 20] INTERNET-DRAFT LSBPRC December, 2002 SUBSTR caseExactSubstringsMatch SINGLE-VALUE USAGE userApplications ) attributetype ( OID-AT.37 NAME 'lsbOperandValueLDAPURLBitStr' DESC 'RFC 2255 LDAP URL which returns values of a single attribute. In lsbCondition types, this is a Comparison Operand. The values returned by the LDAP operation constitute the domain of values with which the Named Operand is compared. Comparison operations are obligated to iterate over all values of the Comparison Operand. In lsbAction types, this is an Assignment Operand. Use of multivalued Assignment Operands is undefined. This LDAP URL Value Operand represents an LDAP URL which, when dereferenced, returns one or more values which are of type Bit String.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SINGLE-VALUE USAGE userApplications ) attributetype ( OID-AT.39 NAME 'lsbOperandValueLDAPURLBool' DESC 'RFC 2255 LDAP URL which returns values of a single attribute. In lsbCondition types, this is a Comparison Operand. The values returned by the LDAP operation constitute the domain of values with which the Named Operand is compared. Comparison operations are obligated to iterate over all values of the Comparison Operand. In lsbAction types, this is an Assignment Operand. Use of multivalued Assignment Operands is undefined. This LDAP URL Value Operand represents an LDAP URL which, when dereferenced, returns a value of type Boolean.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SINGLE-VALUE USAGE userApplications ) attributetype ( OID-AT.41 NAME 'lsbOperandValueLDAPURLOctStr' Bartz [Page 21] INTERNET-DRAFT LSBPRC December, 2002 DESC 'RFC 2255 LDAP URL which returns values of a single attribute. In lsbCondition types, this is a Comparison Operand. The values returned by the LDAP operation constitute the domain of values with which the Named Operand is compared. Comparison operations are obligated to iterate over all values of the Comparison Operand. In lsbAction types, this is an Assignment Operand. Use of multivalued Assignment Operands is undefined. This LDAP URL Value Operand represents an LDAP URL which, when dereferenced, returns one or more values which are of type Octet String.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SINGLE-VALUE USAGE userApplications ) 3.2.4. Utility Attributes 3.2.4.1. String Ignore Case Flag attributetype ( OID-AT.43 NAME 'lsbCompareStrIgnoreCase' DESC 'Indicates whether conditions which compare character strings should ignore case.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 EQUALITY booleanMatch SINGLE-VALUE USAGE userApplications ) 3.2.4.2. String Concatenation Delimiter attributetype ( OID-AT.44 NAME 'lsbStrCatDelim' DESC 'Optional delimiter for string concatenation assignment operations.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SINGLE-VALUE USAGE userApplications ) Bartz [Page 22] INTERNET-DRAFT LSBPRC December, 2002 3.2.4.3. Assignment Mode attributetype ( OID-AT.45 NAME 'lsbActionAssignmentMode' DESC 'Integer value indicates mode of assignment action. "1": replace any/all Named Operand values by single value. "2": augment multivalued Named Operand by additional value. "3": modify all values of Named Operand by assignment operation. "4": delete specified value from value set of Named Operand.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 EQUALITY integerMatch ORDERING integerOrderingMatch SINGLE-VALUE USAGE userApplications ) 3.3. LSBPRC Implementable Objectclasses 3.3.1. LSBPRC Condition Components 3.3.1.1. String Comparison Operations 3.3.1.1.1. String Equality Comparison objectclass ( OID-OC.3 NAME 'lsbConditionStrEQ' DESC 'Specifies comparison according to the semantic of "equal". The Named Operand is evaluated for lexicographically "equal" with respect to the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedStr $ lsbCompareStrIgnoreCase ) MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $ lsbOperandDynStr ) AUXILIARY ) 3.3.1.1.2. String GreaterThan Comparison objectclass ( OID-OC.4 NAME 'lsbConditionStrGT' DESC 'Specifies comparison according to the semantic Bartz [Page 23] INTERNET-DRAFT LSBPRC December, 2002 of "greaterThan". The Named Operand is evaluated for lexicographically "greaterThan" with respect to the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedStr $ lsbCompareStrIgnoreCase ) MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $ lsbOperandDynStr ) AUXILIARY ) 3.3.1.1.3. String LessThan Comparison objectclass ( OID-OC.5 NAME 'lsbConditionStrLT' DESC 'Specifies comparison according to the semantic of "lessThan". The Named Operand is evaluated for lexicographically "lessThan" with respect to the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedStr $ lsbCompareStrIgnoreCase ) MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $ lsbOperandDynStr ) AUXILIARY ) 3.3.1.1.4. String Length Equality Comparison objectclass ( OID-OC.6 NAME 'lsbConditionStrLenEQ' DESC 'Specifies comparison according to the semantic of "equal". The length of Named Operand is evaluated for "equal" with respect to the length of the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedStr ) MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $ Bartz [Page 24] INTERNET-DRAFT LSBPRC December, 2002 lsbOperandDynStr ) AUXILIARY ) 3.3.1.1.5. String Length GreaterThan Comparison objectclass ( OID-OC.7 NAME 'lsbConditionStrLenGT' DESC 'Specifies comparison according to the semantic of "greaterThan". The length of Named Operand is evaluated for "greaterThan" with respect to the length of the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedStr ) MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $ lsbOperandDynStr ) AUXILIARY ) 3.3.1.1.6. String Length LessThan Comparison objectclass ( OID-OC.8 NAME 'lsbConditionStrLenLT' DESC 'Specifies comparison according to the semantic of "lessThan". The length of Named Operand is evaluated for "lessThan" with respect to the length of the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedStr ) MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $ lsbOperandDynStr ) AUXILIARY ) 3.3.1.1.7. String BeginsWith Comparison Bartz [Page 25] INTERNET-DRAFT LSBPRC December, 2002 objectclass ( OID-OC.9 NAME 'lsbConditionStrBeg' DESC 'Specifies comparison according to the semantic of "beginsWith". The Named Operand is evaluated for "beginsWith" with respect to the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedStr $ lsbCompareStrIgnoreCase ) MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $ lsbOperandDynStr ) AUXILIARY ) 3.3.1.1.8. String EndsWith Comparison objectclass ( OID-OC.10 NAME 'lsbConditionStrEnd' DESC 'Specifies comparison according to the semantic of "endsWith". The Named Operand is evaluated for "endsWith" with respect to the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedStr $ lsbCompareStrIgnoreCase ) MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $ lsbOperandDynStr ) AUXILIARY ) 3.3.1.1.9. String Contains Comparison objectclass ( OID-OC.11 NAME 'lsbConditionStrCont' DESC 'Specifies comparison according to the semantic of "contains". The Named Operand is evaluated for "contains" with respect to the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedStr $ lsbCompareStrIgnoreCase ) Bartz [Page 26] INTERNET-DRAFT LSBPRC December, 2002 MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $ lsbOperandDynStr ) AUXILIARY ) 3.3.1.1.10. String Exists Comparison objectclass ( OID-OC.12 NAME 'lsbConditionStrExist' DESC 'Specifies comparison according to the semantic of "exists". The Named Operand is evaluated for "exists".' SUP lsbCondition MUST ( lsbOperandNamedStr ) AUXILIARY ) 3.3.1.2. Integer Comparison Operations 3.3.1.2.1. Integer Equality Comparison objectclass ( OID-OC.13 NAME 'lsbConditionIntEQ' DESC 'Specifies comparison according to the semantic of "equal". The Named Operand is evaluated for "equal" with respect to the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedInt ) MAY ( lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $ lsbOperandDynInt ) AUXILIARY ) 3.3.1.2.2. Integer GreaterThan Comparison objectclass ( OID-OC.14 NAME 'lsbConditionIntGT' DESC 'Specifies comparison according to the semantic of "greaterThan". The Named Operand is evaluated for "greaterThan" with respect to the Comparison Operand. When Bartz [Page 27] INTERNET-DRAFT LSBPRC December, 2002 the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedInt ) MAY ( lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $ lsbOperandDynInt ) AUXILIARY ) 3.3.1.2.3. Integer LessThan Comparison objectclass ( OID-OC.15 NAME 'lsbConditionIntLT' DESC 'Specifies comparison according to the semantic of "lessThan". The Named Operand is evaluated for "lessThan" with respect to the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedInt ) MAY ( lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $ lsbOperandDynInt ) AUXILIARY ) 3.3.1.2.4. Integer Exists Comparison objectclass ( OID-OC.16 NAME 'lsbConditionIntExist' DESC 'Specifies comparison according to the semantic of "exists". The Named Operand is evaluated for "exists".' SUP lsbCondition MUST ( lsbOperandNamedInt ) AUXILIARY ) 3.3.1.3. Float Comparison Operations 3.3.1.3.1. Float Equality Comparison Bartz [Page 28] INTERNET-DRAFT LSBPRC December, 2002 objectclass ( OID-OC.17 NAME 'lsbConditionFloatEQ' DESC 'Specifies comparison according to the semantic of "equal". The Named Operand is evaluated for "equal" with respect to the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedFloat ) MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $ lsbOperandDynFloat ) AUXILIARY ) 3.3.1.3.2. Float GreaterThan Comparison objectclass ( OID-OC.18 NAME 'lsbConditionFloatGT' DESC 'Specifies comparison according to the semantic of "greaterThan". The Named Operand is evaluated for "greaterThan" with respect to the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedFloat ) MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $ lsbOperandDynFloat ) AUXILIARY ) 3.3.1.3.3. Float LessThan Comparison objectclass ( OID-OC.19 NAME 'lsbConditionFloatLT' DESC 'Specifies comparison according to the semantic of "lessThan". The Named Operand is evaluated for "lessThan" with respect to the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedFloat ) Bartz [Page 29] INTERNET-DRAFT LSBPRC December, 2002 MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $ lsbOperandDynFloat ) AUXILIARY ) 3.3.1.3.4. Float Exists Comparison objectclass ( OID-OC.20 NAME 'lsbConditionFloatExist' DESC 'Specifies comparison according to the semantic of "exists". The Named Operand is evaluated for "exists".' SUP lsbCondition MUST ( lsbOperandNamedFloat ) AUXILIARY ) 3.3.1.4. Boolean Comparison Operations 3.3.1.4.1. Boolean Equality Comparison objectclass ( OID-OC.21 NAME 'lsbConditionBoolEQ' DESC 'Specifies comparison according to the semantic of "equal". The Named Operand is evaluated for "equal" with respect to the Comparison Operand. A boolean Named Operand should never be multivalued. Neither should the Comparison Operand.' SUP lsbCondition MUST ( lsbOperandNamedBool ) MAY ( lsbOperandSpecBool $ lsbOperandValueLDAPURLBool $ lsbOperandDynBool ) AUXILIARY ) 3.3.1.5. BitString Comparison Operations 3.3.1.5.1. Bit Value Equality Comparison objectclass ( OID-OC.22 NAME 'lsbConditionBitEQ' DESC 'Specifies comparison according to the semantic of "equal". The Named Operand is evaluated for mathematically Bartz [Page 30] INTERNET-DRAFT LSBPRC December, 2002 "equal" with respect to the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedBitStr ) MAY ( lsbOperandSpecBitStr $ lsbOperandValueLDAPURLBitStr $ lsbOperandDynBitStr ) AUXILIARY ) 3.3.1.5.2. Bit Value GreaterThan Comparison objectclass ( OID-OC.23 NAME 'lsbConditionBitGT' DESC 'Specifies comparison according to the semantic of "greaterThan". The Named Operand is evaluated for mathematically "greaterThan" with respect to the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedBitStr ) MAY ( lsbOperandSpecBitStr $ lsbOperandValueLDAPURLBitStr $ lsbOperandDynBitStr ) AUXILIARY ) 3.3.1.5.3. Bit Value LessThan Comparison objectclass ( OID-OC.24 NAME 'lsbConditionBitLT' DESC 'Specifies comparison according to the semantic of "lessThan". The Named Operand is evaluated for mathematically "lessThan" with respect to the Comparison Operand. When the Named Operand and/or Comparison Operand is multivalued, if one comparison operation of any pair of operands satisfies the comparison operation, the condition evaluates as TRUE.' SUP lsbCondition MUST ( lsbOperandNamedBitStr ) MAY ( lsbOperandSpecBitStr $ lsbOperandValueLDAPURLBitStr $ lsbOperandDynBitStr ) AUXILIARY Bartz [Page 31] INTERNET-DRAFT LSBPRC December, 2002 ) 3.3.1.5.4. BitString Exists Comparison objectclass ( OID-OC.25 NAME 'lsbConditionBitExist' DESC 'Specifies comparison according to the semantic of "exists". The Named Operand is evaluated for "exists".' SUP lsbCondition MUST ( lsbOperandNamedBitStr ) AUXILIARY ) 3.3.1.6. Delegated Comparison Operations 3.3.1.6.1. Delegation to Distributed Object objectclass ( OID-OC.30 NAME 'lsbConditionObjRef' DESC 'This lsbCondition type delegates the comparison operation to a distributed object. Use this when [1] the comparison operation cannot be defined using other lsbCondition types due to complexity or information domain uniqueness, or [2] the comparison operation is computationally infeasible or otherwise inappropriate for computation by a general purpose PDP. The PDP is responsible for providing the distributed object with the operands of the condition. The PDP might optionally provide the distributed object with other information it received from the PEP, information assigned via computation of lsbActions, and more. The distributed object is responsible for returning a boolean result, which the PDP interprets as the value of the comparison operation. The identity of the distributed object is defined by including attribute/value pairs defined by RFC 2713 or RFC 2714.' SUP lsbCondition MAY ( lsbOperandNamedStr $ lsbOperandNamedInt $ lsbOperandNamedFloat $ lsbOperandNamedBitStr $ lsbOperandNamedBool $ lsbOperandNamedOctStr $ lsbOperandSpecStr $ lsbOperandSpecInt $ lsbOperandSpecFloat $ lsbOperandSpecBool $ lsbOperandSpecBitStr $ lsbOperandSpecOctStr $ lsbOperandValueLDAPURLStr $ lsbOperandValueLDAPURLInt $ lsbOperandValueLDAPURLFloat $ lsbOperandValueLDAPURLBitStr $ Bartz [Page 32] INTERNET-DRAFT LSBPRC December, 2002 lsbOperandValueLDAPURLBool $ lsbOperandValueLDAPURLOctStr $ lsbOperandDynStr $ lsbOperandDynInt $ lsbOperandDynFloat $ lsbOperandBitStr $ lsbOperandDynBool $ lsbOperandDynOctStr $ lsbCompareStrIgnoreCase ) AUXILIARY ) 3.3.2. LSBPRC Action Components 3.3.2.1. String Assignment Operations 3.3.2.1.1. String Assignment objectclass ( OID-OC.31 NAME 'lsbActionStrEQ' DESC 'Specifies value assignment according to the semantic of "Equal". The value of the Named Operand is assigned or modified by "Equal" with respect to the specified Assignment Operand.' SUP lsbAction MUST ( lsbOperandNamedStr $ lsbActionAssignmentMode ) MAY ( $ lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $ lsbOperandDynStr ) AUXILIARY ) 3.3.2.1.2. String Concatenation Assignment objectclass ( OID-OC.32 NAME 'lsbActionStrCat' DESC 'Specifies value assignment according to the semantic of "STRing conCATenization". The value of the Named Operand is modified by appending the Assignment Operand.' SUP lsbAction MUST ( lsbOperandNamedStr $ lsbActionAssignmentMode ) MAY ( $ lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $ lsbOperandDynStr $ lsbStrCatDelim ) AUXILIARY ) 3.3.2.2. Integer Assignment Operations Bartz [Page 33] INTERNET-DRAFT LSBPRC December, 2002 3.3.2.2.1. Integer Assignment objectclass ( OID-OC.33 NAME 'lsbActionIntEQ' DESC 'Specifies value assignment according to the semantic of "Equal". The value of the Named Operand is assigned or modified by "Equal" with respect to the Assignment Operand.' SUP lsbAction MUST ( lsbOperandNamedInt $ lsbActionAssignmentMode ) MAY ( lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $ lsbOperandDynInt ) AUXILIARY ) 3.3.2.2.2. Integer PlusEquals Assignment objectclass ( OID-OC.34 NAME 'lsbActionIntPlusEQ' DESC 'Specifies value assignment according to the semantic of "PlusEqual". The value of the Named Operand is assigned or modified by "PlusEqual" with respect to the Assignment Operand.' SUP lsbAction MUST ( lsbOperandNamedInt $ lsbActionAssignmentMode ) MAY ( $ lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $ lsbOperandDynInt ) AUXILIARY ) 3.3.2.2.3. Integer MinusEquals Assignment objectclass ( OID-OC.35 NAME 'lsbActionIntMinusEQ' DESC 'Specifies value assignment according to the semantic of "MinusEqual". The value of the Named Operand is assigned or modified by "MinusEqual" with respect to the Assignment Operand.' SUP lsbAction MUST ( lsbOperandNamedInt $ lsbActionAssignmentMode ) MAY ( $ lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $ lsbOperandDynInt ) AUXILIARY ) Bartz [Page 34] INTERNET-DRAFT LSBPRC December, 2002 3.3.2.2.4. Integer MultEquals Assignment objectclass ( OID-OC.36 NAME 'lsbActionIntMultEQ' DESC 'Specifies value assignment according to the semantic of "MultEqual". The value of the Named Operand is assigned or modified by "MultEqual" with respect to the Assignment Operand.' SUP lsbAction MUST ( lsbOperandNamedInt $ lsbActionAssignmentMode ) MAY ( $ lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $ lsbOperandDynInt ) AUXILIARY ) 3.3.2.2.5. Integer DivEquals Assignment objectclass ( OID-OC.37 NAME 'lsbActionIntDivEQ' DESC 'Specifies value assignment according to the semantic of "DivEqual". The value of the Named Operand is assigned or modified by "DivEqual" with respect to the Assignment Operand.' SUP lsbAction MUST ( lsbOperandNamedInt $ lsbActionAssignmentMode ) MAY ( $ lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $ lsbOperandDynInt ) AUXILIARY ) 3.3.2.2.6. Integer ModuloEquals Assignment objectclass ( OID-OC.38 NAME 'lsbActionIntModuloEQ' DESC 'Specifies value assignment according to the semantic of "ModuloEqual". The value of the Named Operand is assigned the value of NamedOperand modulo AssignmentOperand.' SUP lsbAction MUST ( lsbOperandNamedInt $ lsbActionAssignmentMode ) MAY ( $ lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $ lsbOperandDynInt ) AUXILIARY ) Bartz [Page 35] INTERNET-DRAFT LSBPRC December, 2002 3.3.2.3. Float Assignment Operations 3.3.2.3.1. Float Assignment objectclass ( OID-OC.39 NAME 'lsbActionFloatEQ' DESC 'Specifies value assignment according to the semantic of "Equal". The value of the Named Operand is assigned or modified by "Equal" with respect to the specified Assignment Operand.' SUP lsbAction MUST ( lsbOperandNamedFloat $ lsbActionAssignmentMode ) MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $ lsbOperandDynFloat ) AUXILIARY ) 3.3.2.3.2. Float PlusEquals Assignment objectclass ( OID-OC.40 NAME 'lsbActionFloatPlusEQ' DESC 'Specifies value assignment according to the semantic of "PlusEqual". The value of the Named Operand is assigned or modified by "PlusEqual" with respect to the Assignment Operand.' SUP lsbAction MUST ( lsbOperandNamedFloat $ lsbActionAssignmentMode ) MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $ lsbOperandDynFloat ) AUXILIARY ) 3.3.2.3.3. Float MinusEquals Assignment objectclass ( OID-OC.41 NAME 'lsbActionFloatMinusEQ' DESC 'Specifies value assignment according to the semantic of "MinusEqual". The value of the Named Operand is assigned or modified by "MinusEqual" with respect to the Assignment Operand.' SUP lsbAction MUST ( lsbOperandNamedFloat $ lsbActionAssignmentMode ) MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $ lsbOperandDynFloat ) Bartz [Page 36] INTERNET-DRAFT LSBPRC December, 2002 AUXILIARY ) 3.3.2.3.4. Float MultEquals Assignment objectclass ( OID-OC.42 NAME 'lsbActionFloatMultEQ' DESC 'Specifies value assignment according to the semantic of "MultEqual". The value of the Named Operand is assigned or modified by "MultEqual" with respect to the Assignment Operand.' SUP lsbAction MUST ( lsbOperandNamedFloat $ lsbActionAssignmentMode ) MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $ lsbOperandDynFloat ) AUXILIARY ) 3.3.2.3.5. Float DivEquals Assignment objectclass ( OID-OC.43 NAME 'lsbActionFloatDivEQ' DESC 'Specifies value assignment according to the semantic of "DivEqual". The value of the Named Operand is assigned or modified by "DivEqual" with respect to the Assignment Operand.' SUP lsbAction MUST ( lsbOperandNamedFloat $ lsbActionAssignmentMode ) MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $ lsbOperandDynFloat ) AUXILIARY ) 3.3.2.3.6. Float ModuloEquals Assignment objectclass ( OID-OC.44 NAME 'lsbActionFloatModuloEQ' DESC 'Specifies value assignment according to the semantic of "ModuloEqual". The value of the Named Operand is assigned the value of NamedOperand modulo AssignmentOperand.' SUP lsbAction MUST ( lsbOperandNamedFloat $ lsbActionAssignmentMode ) Bartz [Page 37] INTERNET-DRAFT LSBPRC December, 2002 MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $ lsbOperandDynFloat ) AUXILIARY ) 3.3.2.4. Boolean Assignment Operations 3.3.2.4.1. Boolean Assignment objectclass ( OID-OC.45 NAME 'lsbActionBoolEQ' DESC 'Specifies value assignment according to the semantic of "Equal". The value of the Named Operand is assigned or modified by "Equal" with respect to the specified Assignment Operand. A boolean Named Operand should never be multivalued.' SUP lsbAction MUST ( lsbOperandNamedBool $ lsbActionAssignmentMode ) MAY ( lsbOperandSpecBool $ lsbOperandValueLDAPURLBool $ lsbOperandDynBool ) AUXILIARY ) 3.3.2.5. BitString Assignment Operations 3.3.2.5.1. Bitwise Shift Left Assignment objectclass ( OID-OC.46 NAME 'lsbActionBitShiftL' DESC 'Specifies value assignment according to the semantic of "ShiftLeftBy". The value of the Named Operand is assigned the value of NamedOperand ShiftLeftBy AssignmentOperand.' SUP lsbAction MUST ( lsbOperandNamedBitStr $ lsbActionAssignmentMode ) MAY ( lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $ lsbOperandDynInt ) AUXILIARY ) 3.3.2.5.2. Bitwise Shift Right Assignment objectclass ( OID-OC.47 NAME 'lsbActionBitShiftR' Bartz [Page 38] INTERNET-DRAFT LSBPRC December, 2002 DESC 'Specifies value assignment according to the semantic of "ShiftRightBy". The value of the Named Operand is assigned the value of NamedOperand ShiftRightBy AssignmentOperand.' SUP lsbAction MUST ( lsbOperandNamedBitStr $ lsbActionAssignmentMode ) MAY ( lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $ lsbOperandDynInt ) AUXILIARY ) 3.3.2.5.3. Bitwise Shift Right Zero-fill Assignment objectclass ( OID-OC.48 NAME 'lsbActionBitShiftRZf' DESC 'Specifies value assignment according to the semantic of "ShiftRightByAndZero-fill". The value of the Named Operand is assigned the value of NamedOperand ShiftRightBy AssignmentOperand. The displaced positions to the left of the original bitstring are filled with zeroes, so the new string has the same number of bits as the initial string.' SUP lsbAction MUST ( lsbOperandNamedBitStr $ lsbActionAssignmentMode ) MAY ( lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $ lsbOperandDynInt ) AUXILIARY ) 3.3.2.5.4. Bitwise AND Assignment objectclass ( OID-OC.49 NAME 'lsbActionBitAND' DESC 'Specifies value assignment according to the semantic of "ANDwith". The value of the Named Operand is assigned the value of NamedOperand ANDwith AssignmentOperand.' SUP lsbAction MUST ( lsbOperandNamedBitStr $ lsbActionAssignmentMode ) MAY ( lsbOperandSpecBitStr $ lsbOperandValueLDAPURLBitStr $ lsbOperandDynBitStr ) AUXILIARY ) 3.3.2.5.5. Bitwise OR Assignment Bartz [Page 39] INTERNET-DRAFT LSBPRC December, 2002 objectclass ( OID-OC.50 NAME 'lsbActionBitOR' DESC 'Specifies value assignment according to the semantic of "ORwith". The value of the Named Operand is assigned the value of NamedOperand ORwith AssignmentOperand.' SUP lsbAction MUST ( lsbOperandNamedBitStr $ lsbActionAssignmentMode ) MAY ( lsbOperandSpecBitStr $ lsbOperandValueLDAPURLBitStr $ lsbOperandDynBitStr ) AUXILIARY ) 3.3.2.5.6. Bitwise XOR Assignment objectclass ( OID-OC.51 NAME 'lsbActionBitXOR' DESC 'Specifies value assignment according to the semantic of "XORwith". The value of the Named Operand is assigned the value of NamedOperand XORwith AssignmentOperand.' SUP lsbAction MUST ( lsbOperandNamedBitStr $ lsbActionAssignmentMode ) MAY ( lsbOperandSpecBitStr $ lsbOperandValueLDAPURLBitStr $ lsbOperandDynBitStr ) AUXILIARY ) 3.3.2.5.7. Bitwise OnesComplement Assignment objectclass ( OID-OC.52 NAME 'lsbActionBitOnesComp' DESC 'Specifies value assignment according to the semantic of "OnesComplement". In the absence of an Assignment Operand, the value of the Named Operand is assigned the "OnesComplement" of itself. When an Assignment Operand is specified, the Named Operand is assigned the value of "OnesComplement" of the Assignment Operand.' SUP lsbAction MUST ( lsbOperandNamedBitStr ) MAY ( lsbOperandSpecBitStr $ lsbOperandValueLDAPURLBitStr $ lsbOperandDynBitStr ) AUXILIARY ) Bartz [Page 40] INTERNET-DRAFT LSBPRC December, 2002 3.3.2.6. Delegated Assignment Operations 3.3.2.6.1. Delegation to Distributed Object objectclass ( OID-OC.53 NAME 'lsbActionObjRef' DESC 'This lsbAction type delegates the assignment operation to a distributed object. Use this when [1] the assignment operation cannot be defined using other lsbAction types due to complexity or information domain uniqueness, or [2] the assignment operation is computationally infeasible or otherwise inappropriate for computation by a general purpose PDP. The PDP is responsible for providing the distributed object with the operands of the action. The PDP might optionally provide the distributed object with other information it received from the PEP, information assigned via computation of lsbActions, and more. The distributed object is responsible for returning a value, which the PDP interprets as the value to be assigned to the Named Operand. The identity of the distributed object is defined by including attribute/value pairs defined by RFC 2713 or RFC 2714.' SUP lsbAction MUST ( lsbActionAssignmentMode ) MAY ( lsbOperandNamedStr $ lsbOperandNamedInt $ lsbOperandNamedFloat $ lsbOperandNamedBitStr $ lsbOperandNamedBool $ lsbOperandNamedOctStr $ lsbOperandSpecStr $ lsbOperandSpecInt $ lsbOperandSpecFloat $ lsbOperandSpecBool $ lsbOperandSpecBitStr $ lsbOperandSpecOctStr $ lsbOperandValueLDAPURLStr $ lsbOperandValueLDAPURLInt $ lsbOperandValueLDAPURLFloat $ lsbOperandValueLDAPURLBitStr $ lsbOperandValueLDAPURLBool $ lsbOperandValueLDAPURLOctStr $ lsbOperandDynStr $ lsbOperandDynInt $ lsbOperandDynFloat $ lsbOperandBitStr $ lsbOperandDynBool $ lsbOperandDynOctStr $ lsbStrCatDelim ) AUXILIARY ) 3.3.2.7. Delegated Action to Computing Resource 3.3.2.7.1. Delegation to Distributed Object See 3.3.2.6.1. The distributed object may perform any activity which fulfills the rule's requirement for "action". Bartz [Page 41] INTERNET-DRAFT LSBPRC December, 2002 3.3.3. LSBPRC Policy Alias objectclass ( OID-OC.54 NAME 'lsbPolicyAlias' DESC 'Use this alias subtype for aliasing any Policy subtype. Instances shall also be members of the classes pcimPolicy and pcimElementAuxClass. As appropriate, instances shall also be members of other more specific Policy classes, such as the various Policy AuxClasses and their supertypes. commonName or cn is used as the naming attribute.' SUP alias STRUCTURAL MUST cn ) 4. Security Considerations LSBPRC is not intended to represent any particular system design or implementation. LSBPRC is directly usable in a real world system, but only with application-specific mappings of data to instances of LSBPRC-defined objectclasses and attributetypes. Applications and systems which use LSBPRC must define their own specific security considerations. LSBPRC is not representative of any real-world system because its object classes are designed to be independent of any specific discipline or policy domain. Even though application-specific security requirements are not appropriate for LSBPRC, specific security requirements MUST be defined for each operational real-world application of LSBPRC. Just as there will be a wide range of operational, real-world systems using LSBPRC, there will also be a wide range of security requirements for these systems. Some operational, real-world systems that are deployed using LSBPRC may have extensive security requirements that impact nearly all object classes utilized by such a system, while other systems' security requirements might have very little impact. The applications discussed above will create the context for applying operational, real-world, system-level security requirements against the various implementations of LSBPRC. In some real-world scenarios, the values associated with certain properties, within certain instantiated object classes, may represent information associated with scarce, and/or costly (and therefore valuable) resources. It may be the case that these values must not be Bartz [Page 42] INTERNET-DRAFT LSBPRC December, 2002 disclosed to, or manipulated by, unauthorized parties. Since this document forms the basis for the representation of a policy data model in a specific format (an LDAP-accessible directory), it is herein appropriate to reference the data model-specific tools and mechanisms that are available for achieving the authentication and authorization implicit in a requirement that restricts read and/or read- write access to these values stored in a directory. General LDAP security considerations apply, as documented in RFC3377 [3]. LDAP-specific authentication and authorization tools and mechanisms are found in the following standards track documents, which are appropriate for application to the management of security applied to policy data models stored in an LDAP-accessible directory: - RFC 2829 (Authentication Methods for LDAP) [15] - RFC 2830 (Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security) [16] 5. Intellectual Property The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards- related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 6. Acknowledgements Bartz [Page 43] INTERNET-DRAFT LSBPRC December, 2002 The "Security Considerations" section of this document is lifted with thanks, from [2]. It is edited it only lightly for use in this document. 7. References [1] Moore, B., and E. Ellesson, J. Strassner, A. Westerinen "Policy Core Information Model -- Version 1 Specification", RFC 3060, February 2001. [2] Strassner, J., and B. Moore, R. Moats, E. Ellesson "Policy Core LDAP Schema", draft-ietf-policy-core-schema-16.txt, a Work in Progress of the IETF Policy Framework Working Group, October 2002. [3] Hodges, J., and Morgan R., "Lightweight Directory Access Protocol (v3): Technical Specification", RFC3377, September 2002. [4] ITU-T Rec. X.500, "The Directory: Overview of Concepts, Models and Service", 1993. [5] ITU-T Rec. X.501, "The Directory: Models", 1993. [6] Hluck, MAJ George, "Expert Systems Tutorial" http://carlisle-www.army.mil/usacsl/divisions/std/branches/ keg/expert/es.htm NOTE: preceding URL is line-wrapped [7] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [8] Howes, T., and M. Smith, "The LDAP URL Format", RFC 2255, December 1997. [9] Kernighan, Brian W., and Dennis M. Ritchie, "The C Programming Language, Second Edition" Prentice Hall, Inc., 1988. ISBN 0-13-110362-8 (paperback), 0-13-110370-9 (hardback). [10] Ken Arnold, James Gosling, David Holmes "The Java(tm) Programming Language," Third Edition, ISBN 0-201-70433-1. [11] Standard ECMA-262, ECMAScript Language Specification http://www.ecma.ch/ecma1/STAND/ECMA-262.HTM [12] The Object Management Group, "Common Object Request Bartz [Page 44] INTERNET-DRAFT LSBPRC December, 2002 Broker Architecture Specification 3.01," http://www.omg.org [13] Ryan, V., and S. Seligman, R. Lee, "Schema for Representing Java(tm) Objects in an LDAP Directory", RFC 2713, October 1999 [14] Ryan, V., and R. Lee, S. Seligman, "Schema for Representing CORBA Object References in an LDAP Directory", RFC 2714, October 1999 [15] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, "Authentication Methods for LDAP", RFC 2829, May 2000 [16] J. Hodges, R. Morgan, M. Wahl, "Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security", RFC 2830, May 2000. 8. Author's Address Larry Bartz Internal Revenue Service 575 N. Pennsylvania Street Indianapolis, IN 46204 USA Phone: +1 317 226-7060 Email: larry.bartz@irs.gov 9. Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. Bartz [Page 45] INTERNET-DRAFT LSBPRC December, 2002 The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. This Internet Draft Expires June, 2003 Bartz [Page 46]