[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] KeyInfo, Target computation, Target specification
Here are several changes that I recommend making to the schemas
and specification:
1. Schema Request/Subject/KeyInfo currently specified as
<xs:complexType name="SubjectType">
<xs:sequence>
<xs:choice>
<xs:element name="SubjectId"
type="xacmlContext:SubjectIdType" minOccurs="0"/>
<xs:element ref="ds:KeyInfo"/>
Since either is allowed, and since either one is optional,
KeyInfo should have minOccurs="0" as follows:
<xs:complexType name="SubjectType">
<xs:sequence>
<xs:choice>
<xs:element name="SubjectId"
type="xacmlContext:SubjectIdType" minOccurs="0"/>
<xs:element ref="ds:KeyInfo" minOccurs="0"/>
2. Specification Section 4.2.2.1 Target
Specify that dynamic construction of "target" from component
rules, policies, or policy sets is not mandatory-to-implement.
I think the model should be that the XACML PDP engine is
presented with a PolicySetStatement or PolicyStatement, and
that statement has a Target. The engine evaluates the Request
against that Target.
How the PolicySetStatement or PolicyStatement is constructed
prior to being presented to the XACML PDP engine is completely
implementation-dependent. We could proceed to indicate that
two possible implementations are ... and ..., but this is
outside the scope of the XACML specification.
3. Schema Core/Rule/Target
Currently specified as
<xs:element name="Target" type="xacml:TargetType"
minOccurs="0"/>
Now that "any" Target is specified using explicit
"anySubject", "anyResource", "anyAction", this should be
<xs:element name="Target" type="xacml:TargetType"/>
Anne Anderson
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC