[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] KeyInfo, Target computation, Target specification
Here are several changes that I recommend making to the schemas and specification: 1. Schema Request/Subject/KeyInfo currently specified as <xs:complexType name="SubjectType"> <xs:sequence> <xs:choice> <xs:element name="SubjectId" type="xacmlContext:SubjectIdType" minOccurs="0"/> <xs:element ref="ds:KeyInfo"/> Since either is allowed, and since either one is optional, KeyInfo should have minOccurs="0" as follows: <xs:complexType name="SubjectType"> <xs:sequence> <xs:choice> <xs:element name="SubjectId" type="xacmlContext:SubjectIdType" minOccurs="0"/> <xs:element ref="ds:KeyInfo" minOccurs="0"/> 2. Specification Section 4.2.2.1 Target Specify that dynamic construction of "target" from component rules, policies, or policy sets is not mandatory-to-implement. I think the model should be that the XACML PDP engine is presented with a PolicySetStatement or PolicyStatement, and that statement has a Target. The engine evaluates the Request against that Target. How the PolicySetStatement or PolicyStatement is constructed prior to being presented to the XACML PDP engine is completely implementation-dependent. We could proceed to indicate that two possible implementations are ... and ..., but this is outside the scope of the XACML specification. 3. Schema Core/Rule/Target Currently specified as <xs:element name="Target" type="xacml:TargetType" minOccurs="0"/> Now that "any" Target is specified using explicit "anySubject", "anyResource", "anyAction", this should be <xs:element name="Target" type="xacml:TargetType"/> Anne Anderson -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC