OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] problem with status detail


>> The problem is that at some point the Attribute type was changed

Here is the reason: http://lists.oasis-open.org/archives/xacml/200306/msg00012.html
The change was done for clarifying the semantics of the "mustBePresent" attribute of the attribute designators.

>> The easiest way to fix this is to allow AttributeValue to be
>> optional, but I suspect that may not be acceptable.

If we change it to "optional", we need to discuss the above again.

>> The other option is
>> to create a new element to specify just the meta-data.

I like this option.

Satoshi Hada
IBM Tokyo Research Laboratory
mailto:satoshih@jp.ibm.com


seth proctor <Seth.Proctor@Sun.COM>
Sent by: Seth.Proctor@Sun.COM

2003/10/27 02:24

To
xacml@lists.oasis-open.org
cc
Subject
[xacml] problem with status detail






[apologies in advance if someone has already caught this...I know there
are discussions about status, but I haven't seen this issue discussed yet]

In 6.15 there is an explination for what detail to include with the
missing-attribute status code: Attributes specify one or more missing
values, and if an AttributeValue is included, then this specifies an
acceptable value. If no AttributeValue is included, then the PDP is
specifying the identifier and datatype only. Sounds good.

The problem is that at some point the Attribute type was changed from

  <xs:element ref="xacml-context:AttributeValue" minOccurs="0"/>

to

  <xs:element ref="xacml-context:AttributeValue"/>

This means that it's no longer valid to have an Attribute with no
AttributeValue. So, I don't think it's possible for the PDP to specify a
missing attribute without specifying at least one acceptable value (note
that even an empty AttributeValue tag, which is still legal, is still
technically a value). Do others agree? If so, I think this is a problem.
PDPs need a way to specify missing attributes without providing
acceptable values.

Thoughts? The easiest way to fix this is to allow AttributeValue to be
optional, but I suspect that may not be acceptable. The other option is
to create a new element to specify just the meta-data.


seth


To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]