allow more restriction on Identity-ref
lllyfeng opened this issue · 2 comments
the current identity-ref type only have base statements to indicate the identites dervied from base identity can be acceptable values. But it's not enough.
For example,
If an identity-ref' base is iana-interface-type, but ddnX25 which is dervied from iana-interface-type is not allowed. How to express it?
So, I suggest add 'permit'/'deny' statements to base statement.
Like this:
type identity-ref {
base iana:iana-interface-type {
permit xxxx;
deny xxxx;
}
}
I do not see why both permit and deny are needed in this case.
What happens for a value in neither list?
This is related to #80 and #107
This sub-statement is applicable if the restriction is applied to every server implementation.
A shorthand form instead of a complex must/when expression would be much easier to use
Must Do: complexity: medium, bc: high, importance: high
I agree, it should be either permit or deny,:)