OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Suggested core changes for Attribute by-value queries

Working off of the last call PDF:
http://www.oasis-open.org/apps/org/workgroup/security/download.php/7737

1002-1066:
We merge the AttributeDesignator and Attribute elements/types into a single
Attribute element and AttributeType type that is structurally identical to
the derived version we have now (permits 0 to many AttributeValue elements).
This would be used anywhere we currently refer to AttributeDesignator.

A value-less element is interpreted based on context. In a request or
metadata situation, no values implies no requirements with respect to
specific values. In an AttributeStatement, no values means the attribute has
no values, as the text says now. We should be explicit about this, since
Attribute could get used somewhere else and that new use should be clear on
what the meaning is.

1633:
AttributeQuery would contain 0 or more Attribute elements. As now, zero
indicates that all attributes and values should be returned subject to
policy. No Attribute with the same NameFormat and Name can appear twice in a
single query (enforced in prose, allows sequential processing of attributes
with undefined behavior if you violate the rule).

An Attribute with no values is a query for all applicable values of that
Attribute, subject to policy. An Attribute with one or more values in the
query means that only the named values can be in the assertion(s) returned.
Not all the values named nor all the Attributes named need be returned, just
as is true now.

Regarding value comparisons, I would suggest text that says in the absence
of an attribute profile stating otherwise, value comparison should be based
on XML "equality" in the strictest sense. What goes in must come out.

We don't need to state it, but the obvious implementation would be to just
copy the Attribute elements into a template statement and then go through
pruning any attributes or values not held or not permitted to release. That
way we get more power, and easier code. ;-)

I think that's it.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]