[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] [schema] list of issues for sub-committee discussion on 26July 2002
Colleagues,
I have marked some of these "CLOSED unless someone objects".
These either seem obvious typos, or else received only positive
comments on the list. I suggest we start with those, then pick
up with #40, which is where we left off Monday (modulo CLOSED
unless someone objects). Finally, we can cycle back to the
contentious issues we were unable to resolve on Monday.
-Anne
Title: XACML schema issues
Author: Anne Anderson
Version: 1.19, 02/07/25 (yy/mm/dd)
Source: /net/labeast.east/files2/east/info/projects/isrg/xacml/docs/SCCS/s.SchemaIssues.txt
Next schema subcommittee meeting: Friday 26 July 2002, usual time
(10am-12 EDT).
New schemas, version 16a:
http://lists.oasis-open.org/archives/xacml/200207/msg00141.html
ISSUES:
34. [Michiharu] XPath Subset
http://lists.oasis-open.org/archives/xacml/200207/msg00066.html
Complexity, especially when namespace must be specified. For
simple XPATH, context schema must be flattened. How to limit
XPATH if using a general-purpose library. Check in policy
authoring tool. Context can use any XPATH expression, but
policy is limited. Could XPATH evaluation be done on the
requester side, with just the extracted elements be handed to
the PDP? Should context be designed without any attributes,
in order to make XPATH simpler (just element /)?
OPEN: May want to consider 45 first (simpler
AttributeDesignator without XPATH)
36. [Anne] attribute references and indeterminate results
Long, verbose, religious, tedious thread starts with:
http://lists.oasis-open.org/archives/xacml/200207/msg00071.html
Some sub-issues and options
Order of evaluation
a. In what order MUST arguments be evaluated
1. Depends on the function: e.g. "or" vs. "orderedOr"
2. Always implementation-dependent unless function
specifies an order
3. Always implementation-dependent
b. MUST all arguments be evaluated?
1. Yes
2. No, if a result can be returned without evaluating all
3. No, but regardless of order of evaluation, an error or
missing information causes an exception
c. MAY all arguments be evaluated (for purpose of reporting
errors or unavailable information), even if not required
to reach a function result?
1. Yes
2. No
Operational errors
a. Reporting of errors obtained while evaluating a request by PDP
1. Reporting is optional
2. Reporting is mandatory
3. Reporting is not allowed
b. Does an operational error
1. Generate an exception that by-passes further evaluation
2. Cause an error that is processed by the function
c. What is the Response returned when an operational error occurs?
1. Response value of INDETERMINATE
2. Depends on the Function: value, INDETERMINATE
2. Depends on Combining Algorithm: PERMIT, DENY, or INDETERMINATE
3. New Response value of ERROR
d. If operational errors are reported, how is the type of
error reported?
1. Reported via Simon's Status element in response
Missing information
a. Can a function ignore missing information if the function's
semantics allow it to be evaluated without that
information?
1. Yes: e.g. OR(missing, true, false) can return true
2. No: missing information generates an exception that
by-passes further evaluation
b. Can a function return INDETERMINATE?
1. Yes: e.g. OR(missing, false, false) can return
INDETERMINATE, since it MIGHT be true if "missing" were
available.
2. No: missing information generates an exception that is
handled by the most immediate enclosing Combining
Algorithm
3. No: missing information must be translated into one of
the values of the datatype that the function returns.
Function semantics must specify what this is.
c. How does a Combining Algorithm handle a Rule, etc. that
returns INDETERMINATE?
1. Pass up INDETERMINATE to next higher layer, eventually
to the Response
2. Specify via algorithm description how INDETERMINATE is
handled. E.g. Deny-Overrides maps INDETERMINATE to
DENY.
d. Must all information be supplied by the PEP?
1. Yes. Anything not in Request document supplied by PEP
is INDETERMINATE. XACML Request treated as physical
document.
2. No. PDP MAY retrieve information not supplied by PEP.
XACML Request treated as "notional" document.
OPEN:
37. [Michiharu] Use of XPath with namespaces.
http://lists.oasis-open.org/archives/xacml/200207/msg00056.html
Namespace URI functions and Global Name functions. Another
option: namespace prefix in the XPATH expression, but this
needs some assumptions on the target document.
May want to consider #45 (AttributeDesignator without XPATH)
first.
OPEN:
38. [Daniel] Split non-null-set-intersection function
http://lists.oasis-open.org/archives/xacml/200207/msg00076.html [1)]
[Tim] http://lists.oasis-open.org/archives/xacml/200207/msg00077.html
Split non-null-set-intersection into intersection(list, list)
- returning xs:list and non_null(list), returning boolean.
CLOSED unless someone objects.
39. [Daniel] Add floor(decimal)
http://lists.oasis-open.org/archives/xacml/200207/msg00076.html [2)]
[Tim] http://lists.oasis-open.org/archives/xacml/200207/msg00077.html
In addition to round(decimal), floor(decimal) is probably
necessary
[Tim] "function:integer" was intended to serve as floor(decimal).
CLOSED unless someone objects: add round(decimal), use
function:integer as floor(decimal).
40. [Anne] Change XACML "Request" to "Query"?
http://lists.oasis-open.org/archives/xacml/200207/msg00078.html [1.]
[Tim] http://lists.oasis-open.org/archives/xacml/200207/msg00079.html
[Daniel] http://lists.oasis-open.org/archives/xacml/200207/msg00080.html
Eve Maler suggests we change the name of "Request" to "Query"
to conform to SAML usage.
OPEN:
41. [Anne] Is a "notional" XML document for Request a good idea?
http://lists.oasis-open.org/archives/xacml/200207/msg00078.html [2.]
[Daniel] http://lists.oasis-open.org/archives/xacml/200207/msg00080.html
OPEN:
42. [Anne] ConditionType and ConditionIdType
http://lists.oasis-open.org/archives/xacml/200207/msg00081.html
What should we use for ConditionIdType when the ConditionType
is an Attribute or AttributeDesignator?
Options:
1. function:true (conflicts with proposed function:true to
ALWAYS return true for use with "any" matches in Target)
2. Use function:alwaysTrue for Target "any" matches
OPEN:
43. [Simon] What are the semantics of multiple subjects in a
Request?
[Anne]http://lists.oasis-open.org/archives/xacml/200207/msg00093.html
CLOSED unless anyone objects.
44. [Simon] Schema for advice
http://lists.oasis-open.org/archives/xacml/200207/msg00126.html
CLOSED unless anyone objects.
45. [All] Can AttributeDesignator be simpler than XPATH?
[Anne] http://lists.oasis-open.org/archives/xacml/200207/msg00095.html
[Simon] http://lists.oasis-open.org/archives/xacml/200207/msg00130.html
[Michiharu] http://lists.oasis-open.org/archives/xacml/200207/msg00131.html
OPEN:
46. [Anne]Replace saml:AssertionType with xacml:AssertionType
http://lists.oasis-open.org/archives/xacml/200207/msg00097.html
CLOSED unless anyone objects.
47. [Anne]Which date and time functions are mandatory for 1.0?
http://lists.oasis-open.org/archives/xacml/200207/msg00116.html
http://lists.oasis-open.org/archives/xacml/200207/msg00153.html
[Michiharu] http://lists.oasis-open.org/archives/xacml/200207/msg00128.html
Options:
1. Any function that takes or returns a duration data type
(yearMonthDuration, dayTimeDuration) is not mandatory).
2. Any function that requires converting a date into a new
date (such as by addition or subtraction of a duration) is
not mandatory. Any function that requires computing a
duration by subtracting two dates is not mandatory
OPEN:
48. [Anne] Reducing number of functions for 1.0
http://lists.oasis-open.org/archives/xacml/200207/msg00118.html
CLOSED unless anyone wants to propose specific changes to
this list.
49. [Michiharu] Which regular expression definition to use?
http://lists.oasis-open.org/archives/xacml/200207/msg00129.html
[Anne]http://lists.oasis-open.org/archives/xacml/200204/msg00132.html
Options:
1. Use definitions specified in XML Schema part 2: Datatypes,
Appendix F Regular Expressions. (Bill says same as perl)
2. Basic regular expressions (BRE) as defined in POSIX
specification 2:
http://www.opengroup.org/onlinepubs/007908799/xbd/re.html#tag_007_003
3. Extended regular expressions (ERE) as defined in POSIX
specification 2 (these add an "or" metacharacter so you
can match on one of multiple separate regular expressions)
http://www.opengroup.org/onlinepubs/007908799/xbd/re.html#tag_007_003
OPEN:
50. [Anne] Need xacml:dayTimeDuration and xacml:yearMonthDuration?
http://lists.oasis-open.org/archives/xacml/200207/msg00133.html
XML Schema Datatypes document mentions restricting Duration
to dayTime or yearMonth, but does not actually specify such
restrictions. So do we need to define them within XACML?
OPEN:
51. [Michiharu] XML Access Control Use Case
http://lists.oasis-open.org/archives/xacml/200207/msg00132.html
Is this a schema issue per se?
OPEN:
52. [John Howard]Support OR in Target
http://lists.oasis-open.org/archives/xacml-comment/200207/msg00000.html
Supporting OR in Target, either explicitly or implicitly,
would make merging Targets easier.
OPEN:
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC