Re: [xacml-dev] XACML 2

[seth proctor <Seth.Proctor@Sun.COM>]

Diego M. Gonzalez wrote:
> Seems the scenario you are proposing about references between versions
> is covered with the elements that extends IdReferenceType
> (PolicySetIdReference and PolicyIdReference) now the references must add
> some information about versioning: Version, EarliestVersion and
> LatestVersion. The section 5.21 defines the matching behavior. 

Actually that's a little different. The new feature in 2.0 is about 
revision numbers on policies, not which version of XACML is acceptable 
(which is what I raised). The new version feature has two components: it 
lets me put a version number in a Policy or PolicySet (eg, this is 
version 2.3.7 of this policy) and then lets me put a required version or 
range of versions in a reference (so, for instance, I can reference any 
versions of the policy later than 2.3). If more than one version is 
available, you're supposed to use the latest version available. Note 
that these are optional attributes, so you can ignore them in your 
policies and references, and you get the same behavior as in 1.x. I 
suggested this feature for 2.0, so if you don't like it complaints go to 
me :)

The original issue I raised had to do with the version of XACML a policy 
uses. So for instance, let's say we have an XACML 2.0 policy with a 
reference to an XACML 1.1 policy. How should we handle this? My instinct 
is to allow the engine to process the 2.0 policy using the 2.0 spec, but 
process the referenced policy using the 1.1 spec, since the result that 
comes back means the same in 1.1 and 2.0. I suspect, however, that I'll 
discover some corner cases when I actually try doing this. Dunno. We'll 
see...


seth