Re: [xacml] IsPresent semantics

[Anne Anderson <Anne.Anderson@Sun.com>]

On 29 October, Polar Humenn writes: [xacml] IsPresent semantics
 > The MustBePresent attribute governs whether this element
 > returns false or indeterminate in the case of finding no value
 > for the named attribute in the request context. In this case,
 > if the MustBePresent attribute is set to false, which is its
 > default value, this element SHALL result in false. However,
 > for this case, if the MustBePresent attribute is set to true,
 > the expression SHALL result in indeterminate. Regardless of
 > the MustBePresent attribute, if it cannot be determined
 > whether the attribute is present or not present in the request
 > context, or the value of the attribute is unavailable, then
 > the expression SHALL result in indeterminate.

This is not clear.  I suggest:

  The MustBePresent attribute governs whether this element
  returns false or indeterminate in the case of finding no value
  for the named attribute in the request context.  If the value
  can not be located and the MustBePresent attribute is set to
  false (its default value), then the
  <ResourceAttributeIsPresent> element SHALL result in false.  If
  the value can not be located and the MustBePresent attribute is
  set to true, then the element SHALL result in indeterminate.
  Regardless of the MustBePresent attribute, if it cannot be
  determined whether the attribute is present or not present in
  the request context, or if the value of the attribute is
  unavailable due to any error, then the
  <ResourceAttributeIsPresent> element SHALL result in
  indeterminate.

 > The DataType attribute MUST match, by
 > string [Qname?] equality, that of the DataType attribute of

  I would think it would be "anyURI-equal".  We are defining the
  DataType attribute to be of type anyURI.

 > the same <xacml-context:Attribute> element. If the Issuer
 > attribute of this <ResourceAttributeIsPresent> element is
 > supplied, it MUST match, by string equality, the Issuer

 Again, I think it would be "anyURI-equal", since the Issuer
 attribute is of type anyURI.

 > attribute of the same <xacml-context:Attribute> element.

 > If the Issuer attribute of this <ResourceAttributeIsPresent>
 > element is not supplied, presence SHALL be governed by
 > AttributeId and DataType attributes alone, regardless of the
 > Issuer attribute of the same <xacml-context:Attribute> element
 > even if the Issuer attribute is not supplied in the located
 > <xacml-context:Attribute> element.

 Not clear.  I suggest.

  If the Issuer attribute of this <ResourceAttributeIsPresent>
  element is not supplied, presence SHALL be governed by
  AttributeId and DataType attributes alone, regardless of the
  presence, absence, or actual value of the Issuer attribute of
  the otherwise matching <xacml-context:Attribute> element.

 > AttributeId [Required]
 > 
 >     This attribute SHALL specify the AttributeId of which to match the
 >     attribute.

 Change "of which to match" to "value with which to match"

 > 
 > DataType [Required]
 > 
 >     This attribute SHALL specify the DataType of which to match the
 >     attribute.

 Change "of which to match" to "value with which to match"

 > 
 > Issuer [Optional]
 > 
 >     This attribute, if supplied, SHALL specify the Issuer of which to
 >     match the attribute.
 > 

 Change "of which to match" to "value with which to match"

Otherwise, looks OK to me.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692