[xacml] list of identifier values

[Anne Anderson - Sun Microsystems <Anne.Anderson@Sun.COM>]

The attached message contains the list of identifier values that
we will use in XACML 1.0.  Hal Lockhart will write up explanatory
text around each of these (only minimal notes here).

Anne Anderson       Anne.Anderson@Sun.COM
Internet Security Research Group, Sun Labs
Sun Microsystems, Inc., Burlington, MA

--- Begin Message ---

• From: Anne Anderson <aha@ieee.org>
• To: Anne.Anderson@Sun.COM
• Date: Wed, 31 Jul 2002 20:39:03 -0400 ()

XACML base (BASE)
urn:oasis:names:tc:xacml:1.0

Authentication locality (for translating SAML Authentication Locality element)
BASE:auth-locality:ip-address
BASE:auth-locality:dns-name

XACML namespaces
BASE:context
BASE:policy

XACML Action attribute identifier (used for examples only in 1.0)
BASE:example:action  ("read", etc. is value of Action Attribute)

SubjectCategories
BASE:subjectcategory:access-subject (the entity that is the ultimate initiator
            of the access)
BASE:subjectcategory:recipient-subject (the entity that is the recipient of
            the output from the access itself)
BASE:subjectcategory:intermediary-subject (an entity through which the
            request was passed)
BASE:subjectcategory:codebase
            (can be multiple codebases: the executing code that
            generated the access request; e.g. the URL from which the
            accessing code was downloaded and attributes of this code,
            such as by whom it was signed)
BASE:subjectcategory:requesting-machine
            (the machine where 

XACML functions
BASE:function:   (function table supplies all the identifiers with this prefix)

DataTypes:
BASE:datatype:x500name
BASE:datatype:rfc822name
?:yearMonthDuration  (take this from another spec; Michiharu knows)
?:dayTimeDuration    (take this from another spec; Michiharu knows)
xs:Gregorian
BASE:datatype:numeric
BASE:datatype:list  set ????  (get this from Polar and Daniel)
BASE:datatype:ufs-path  (UNIX file-system path)

Environment attributes
BASE:environment:current-time  (current time at the PDP)

Subject attributes
BASE:subject:authentication-time
BASE:subject:authentication-method
BASE:subject:request-time
BASE:subject:session-start-time

Resource attributes:
BASE:resource:resource-uri  (entire resource uri)
BASE:resource:simple-file-name  (last component of the file name.  E.g.
     file://home/my/status#pointer has a simple-file-name of "status".)

Attributes (Used only for examples)
BASE:example:attribute (base for any other examples)
BASE:example:attribute:role


CombiningAlgorithms
BASE:rule-combining-algorithm:deny-overrides
BASE:rule-combining-algorithm:permit-overrides
BASE:policy-combining-algorithm:deny-overrides
BASE:policy-combining-algorithm:permit-overrides

Status codes
BASE:status:ok
BASE:status:missing-attribute
BASE:status:syntax-error
BASE:status:processing-error   (e.g. divide by 0)

Identifiers used only in XACML ConformanceTests
BASE:conformance-test:   (base for all identifiers defined for ConformanceTests)

DigestAlgId:
sha-1: use what is defined in XML Signature or something like that

Following done via schema elements or enumerations:
XACML resource scopes (string enumeration)
"Any" Target values (<AnySubject>, <AnyResource>, <AnyAction> elements)
Effects (string enumeration)
Decisions (string enumeration)

--- End Message ---