[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml][schema] 20-5 concall minutes
Regards
ernesto
Prof. Ernesto Damiani
Dipartimento di Tecnologie dell'Informazione Universita' di Milano - Polo di Crema Via Bramante 65 26013 Crema, Italia tel +39-0373-898240 fax +39-0373-898253 |
PArticipants: anne, simon, norman, ernesto, konstantin Simon illustrates his proposal about attribute designator syntax that was sent to the list. No big change to the schema is required. The main points of the proposals are 1. Different declarations for attribute designators differentiating it in subject attribute designator, resource attribute designator, etc. This would already delimit the scope, as each of these designators will implicitly point to different portions of request context. 2. A single attribute-designator element equipped with an additional '@kind' attribute with values (subject|resource|other). 3. A 'selector' element that will use arbitrary xpath expression to point into the context. Anne comments that single subject is a oversimplification, and it must be clarified how the proposal deals with multiple subjects, Simon explains that the main problem with multiple and complex subject is that we have not decided a syntax for the holder yet. Anne proposed to allow a XPath as a value of the holder. It is agreed to consider points 1 and 3 of Simon proposal for a formal approval next concall. Meanwhile comments are welcome. Simon and Ernesto added that we should not overdo it with XPaths. We should at least recommend that only the child axis is used. Also type conversion should be used with care it may introduce unexpected results. A clear, non-ambiguous explanation of the kind of XPath that we allow in XACML policies should be added to the specs. Also controlling the overload of the equal operator and defining its behavior is crucial, since one or both sides of a comparison can now be XPaths into the XACML context. How can we control the outcome? It is necessary to check implicit type conversions between XPaths and literals etc. Simon observes that being able to designate attributes of multiple subjects does not address the fundamental problem with the concept of multiple subjects, namely, what is the relationship between them ? E.g., how can we express subject equivalence?
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC