Re: [xacml-comment] Inconsistent specification of <*Match> elementsand -match functions

[Anne Anderson <Anne.Anderson@Sun.com>]

Dear Anne Anderson,

Thank you for submitting your comment.  The XACML TC response to
your comment is:

CATEGORY: Inconsistent.
STATUS: Resolved 14 November 2002.
RESPONSE: Rejected.  While the wording of Appendix A.12 needs
improvement to be more clear, and while it is confusing to have
the order of function arguments mean one thing in a Target and
another thing in an Apply, the specification and semantics are
consistent. Since several implementations are already
successfully handling the varying argument order, we feel it is
better to leave the argument order as currently specified.  We
encourage you to submit a proposed re-wording of Appendix A.12
that would make the current semantics more clear, however.
ACTIONS: None.

Sincerely,
Anne Anderson, comments editor

On 11 November, Anne Anderson writes: [xacml-comment] Inconsistent specification of <*Match> elements and  -match functions
 > From: Anne Anderson <Anne.Anderson@Sun.COM>
 > To: xacml-comment@lists.oasis-open.org
 > Subject: [xacml-comment] Inconsistent specification of <*Match> elements and
 >  -match functions
 > Date: Mon, 11 Nov 2002 14:28:14 -0500 (EST)
 > 
 > Problem: MatchId functions used in a target take one
 >    AttributeDesignator or AttributeSelector argument, and one
 >    literal AttributeValue argument.  The order of the two
 >    arguments is specified differently in different parts of the
 >    specification.  Also, the *-match functions can only be used
 >    in a Target if the order of their arguments (template,
 >    specific value) agree with the order of arguments in a MatchId
 >    function (the AttributeDesignator or AttributeSelector, and
 >    the literal value).
 > 
 > Recommendation:
 >  Option 1:
 >    Specify that the first argument to each *-match function is
 >    the specific value to be compared to the template, and the
 >    second argument is the template.  To be consistent, rename
 >    "regexp-string-match" to "string-regexp-match".  This requires
 >    the least change to the specification.
 > 
 >  Option 2:
 >    Specify that the first argument to a MatchId function is a
 >    literal AttributeValue and the second argument is the
 >    AttributeDesignator or AttributeSelector.
 > 
 > Text locations where references occur:
 >  1 must change if Option 1 selected
 >  2 must change if Option 2 selected
 > 
 > 2 - Every occurrence of <SubjectMatch, <ResourceMatch, or
 >   <ActionMatch except as called out below: Change order of
 >   AttributeSelector or AttributeDesignator argument and
 >   AttributeValue argument
 > 
 > 2 - Section A.12 lines 3491-3493: reword as follows:
 > 
 >    "Each argument to the named function MUST match the
 >   appropriate primitive types for the explict attribute value and
 >   the following <AttributeDesignator> or <AttributeSelector>
 >   element, ...
 >   
 > 1 - Section A.12, lines 3493-3496: reword as follows:
 > 
 >    "... such that an element of the bag returned by the
 >   <AttributeDesignator> or <AttributeSelector> element is placed
 >   as the first argument to the function, and the explicit
 >   attribute value is placed as the second argument to the
 >   function."
 > 
 > 1 - Section A.14.12, lines 4250-4281: reverse order of arguments
 >   in the specifications for the -match functions, such that the
 >   first argument is the full value to be compared to the template
 >   or dominating value, and the second argument is the template or
 >   dominating (higher in the tree of values) value.
 > 
 > 2 - Section A.14.13, lines 4306-4313: the specification of the
 >   xpath-node-match function probably needs to change to be
 >   consistent with the above if xpath-node-match is to be allowed
 >   in a Target expression.  Note that several examples use
 >   xpath-node-match as MatchId functions, and line 3503 implies
 >   that this is permissable, but lines 3535-3540 indicate that
 >   xpath-node-match is NOT permissable in a MatchId function.
 > 
 > Anne Anderson
 > -- 
 > Anne H. Anderson             Email: Anne.Anderson@Sun.COM
 > Sun Microsystems Laboratories
 > 1 Network Drive,UBUR02-311     Tel: 781/442-0928
 > Burlington, MA 01803-0902 USA  Fax: 781/442-1692
 > 
 > 
 > ----------------------------------------------------------------
 > To subscribe or unsubscribe from this elist use the subscription
 > manager: <http://lists.oasis-open.org/ob/adm.pl>
 > 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692