allow more restriction on Identity-ref

Question

allow more restriction on Identity-ref

lllyfeng opened this issue 2 years ago · 2 comments

the current identity-ref type only have base statements to indicate the identites dervied from base identity can be acceptable values. But it's not enough.
For example,
If an identity-ref' base is iana-interface-type, but ddnX25 which is dervied from iana-interface-type is not allowed. How to express it?
So, I suggest add 'permit'/'deny' statements to base statement.
Like this:
type identity-ref {
base iana:iana-interface-type {
permit xxxx;
deny xxxx;
}
}

Answer 1 · 2024-08-31T18:48:00.000Z

I do not see why both permit and deny are needed in this case.
What happens for a value in neither list?

This is related to #80 and #107

This sub-statement is applicable if the restriction is applied to every server implementation.

A shorthand form instead of a complex must/when expression would be much easier to use

Must Do: complexity: medium, bc: high, importance: high

Answer 2 · 2024-09-04T09:52:58.000Z

I agree, it should be either permit or deny,:)