RE: [xacml] Attribute and AttributeDesignator for XACML...

[Carlisle Adams <carlisle.adams@entrust.com>]

Title: RE: [xacml] Attribute and AttributeDesignator for XACML...

Hi Anne,

----------
From:   Anne Anderson[SMTP:Anne.Anderson@Sun.com]
Reply To:       Anne.Anderson@Sun.com
Sent:   Tuesday, April 30, 2002 7:44 AM
To:     'xacml@lists.oasis-open.org'
Subject:        Re: [xacml] Attribute and AttributeDesignator for XACML...

On 29 April, Carlisle Adams writes: [xacml] Attribute and AttributeDesignator for XACML...
 > This includes both
 > AttributeDesignator and Attribute.  The idea is that these would be almost
 > identical to their counterparts in SAML, but would include three pieces of
 > (optional) extra information:  Issuer; IssueInstant; and Holder.

SAML includes "Holder" (Subject) when the saml:Attribute is in a
saml:AttributeStatement.  SAML includes "Issuer" and "IssueInstant"
when the AttributeStatement is in a saml:Assertion.

Are we redefining these to make them more compact (i.e. we don't
need MajorVersion, MinorVersion, AssertionID, Conditions,
Advice)?  Or is the main motivation to allow for our own
definition of "Subject" rather than using SAML's string plus
NameQualifier and Format attributes?  Or for some other reason?

 
My recollection is that we decided that we probably did not need MajorVersion, MinorVersion, AssertionID, Conditions, or Advice for XACML (it seems highly unlikely that anyone would write a rule/policy in which an attribute was qualified by a MinorVersion or an Advice element, whereas it is certainly possible that someone would want to qualify an attribute by Issuer).  So, making them more compact is certainly one goal.

However, given that we're defining the "Holder" schema, we do have the freedom to make other changes if we want (e.g., not using the NameQualifier and Format attributes).  My preference is not to make such changes lightly (i.e., unless it seems critically important), but we do have this freedom...

Carlisle.