OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [xacml] [schema] Notes from sub-committee 12 July 2002


1. [Anne] Definition of xacml:DecisionType
   http://lists.oasis-open.org/archives/xacml/200207/msg00010.html

   Decision: "Effect" and "FulfilOn" will be restricted to
      "Permit" and "Deny"


3. [Anne] Optional <Target> in Rule (since often same as Policy)
   http://lists.oasis-open.org/archives/xacml/200207/msg00011.html
   [optional in v15]

   Options:
   a. Optional <Target> in Rule (already optional in 15g):
      semantics ::= "match"
   b. Define <Target> to be a choice
        1. urn:oasis:...:anyTarget, or
        2. <Subject>...</Subject>,<Resource>...</Resource>,...
      and use 1. for this case.
   c. Use <Subject>urn:oasis:...:any</Subject>,
      <Resource>urn:oasis:...:any</Resource> for this case.

   Decision: Decide on Monday

5. [Michiharu] SubjectId Format attribute optional?
   http://lists.oasis-open.org/archives/xacml/200207/msg00009.html [1)]
   [required in v15]
   NameQualifier is an administrative domain
   Format is syntax of name (e.g. defining standard): "X500Name",
     "RFC822Name"
   Format: optional, or mandatory with "unknown" value and
     mandatory?
   Note: policies may not check the Format, so why are we
     requiring it?  Mandatory in Policy?

   Decision: optional, but default value is "String"

6. [Michiharu] Namespace attribute in AttributeMetaData optional?
   http://lists.oasis-open.org/archives/xacml/200207/msg00009.html [2)]
   [required in v15]
   Namespace attribute in AttributeMetaData where comes from SAML
     Evidence.

   Decision: Both required.
     For SAML Evidence: AttributeName is "Evidence" and
      AttributeNamespace is "SAML".

7. [Michiharu] AuthenticationInfo element 0-unbounded?
   http://lists.oasis-open.org/archives/xacml/200207/msg00009.html [3)]
   [0 or 1 in v15]
   Treat any SAML AuthenticationInfo as one or more Subject
     Attributes (full SAML Assertion as value)?

   Decision: AuthenticationInfo element 0-unbounded

8. [Michiharu] Action element needs a URI Namespace and String
   Action value?
   http://lists.oasis-open.org/archives/xacml/200207/msg00009.html [4)]

   Decision: yes.

12. [Anne] Just Attribute (AttributeMetaData and AttributeValue) and
   AttributeSelector (XPATH)
   http://lists.oasis-open.org/archives/xacml/200207/msg00012.html

   Decision: v15 schema fixes this satisfactorily: Attribute
      different in Context (Metadata and value) and Policy
      (value), and AttributeDesignator (selector) used only in
      Policy.

13. [Michiharu] Operators
    http://lists.oasis-open.org/archives/xacml/200207/msg00017.html
    [Tim's list]
    http://lists.oasis-open.org/archives/xacml/200207/msg00023.html
    http://lists.oasis-open.org/archives/xacml/200207/msg00031.html
    [v15 spec list]
    http://lists.oasis-open.org/archives/xacml/200207/msg00041.html

    Decision: Use Tim's list, to be augmented with Set functions.
      Two (or more) Compliance Profiles:
        a. Duration functions not required
        b. Duration functions required
    
14. [Michiharu] Type promotion
    http://lists.oasis-open.org/archives/xacml/200207/msg00017.html

    Decision: we are happy with Michiharu's promotions and think
    this solves the "numeric" conversion problem.

15. [Daniel] mapping "numeric"
    http://lists.oasis-open.org/archives/xacml/200207/msg00033.html

    Decision: probably just an issue for floating point values,
      which are not commonly used in policies, so not a big
      issue.  Daniel and others concerns are welcome to propose a
      method for mapping these if they still see issues.

16. [Anne] Target matching:
    a. Just use XPATH?
    b. Use XPATH for AttributeDesignator plus a specified value
      to be matched, plus an implied xacml:equals operator?
    c. As in b, but specify the operator?
    http://lists.oasis-open.org/archives/xacml/200207/msg00018.html
    [Michiharu response]
    http://lists.oasis-open.org/archives/xacml/200207/msg00032.html
    a. XPATH can return 0 nodes, 1 node, or multiple nodes.
       (specify ALL or ANY match; XPath 2.0 does not support)

       Example: point to "role" AttributeName.  Want to match "at
       least one".

    b. A node can be structured in depth (XPath 2.0 supports
       "sequence-deep-equal"); similar to our [@Format="x" and
       Value="y"]

    Decision: XPATH, value plus use correct "equals" for the
      types specified [as in v15].  Must use "standard" "equals"
      function for the data type, but we will not spell out what
      that function is except for xml base types.  For example,
      for comparing an X500 Distinguished Name, the
      implementation would be expected to support the standard
      X500 DN MatchingRule.

    Decision: Where multiple Subjects or Resources elements occur
      in a Target, then ALL the specified matches must be
      satisfied.

    Decision: Where the AttributeDesignator in a single Subjects
      or Resources element returns multiple nodes, then the match
      is satisfied if at least one of the returned nodes matches
      the supplied comparison value.

    Decide Monday on whether sequence-deep-equal supported.

17. [Anne] Target matching
    a. ANY
    b. ALL
    c. Specify
    http://lists.oasis-open.org/archives/xacml/200207/msg00018.html
    [Michiharu response]
    http://lists.oasis-open.org/archives/xacml/200207/msg00032.html

    Decision: ALL match for multiple Subjects or Resources elements;
      AT-LEAST-ONE match for multiple nodes within a single
      Subjects or Resources element.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC