Questions on "Introducing attribute categories"

[Anne Anderson <Anne.Anderson@sun.com>]

RE: http://lists.oasis-open.org/archives/xacml/200603/msg00002.html

Two comments, plus one stated by Erik:

1. Section 2.2 says [Current specification ... defines] "Resource
    category  Multiple resource groups may be specified in request"

    Is this referring to the "Multiple resources profile"?  Otherwise
    the current specification allows for only one group of attributes
    for one resource.

2. Section 4.1 says [In this proposal, in the Request schema]
    "<Resource> and <ResourceContent> elements are preserved, so that
    path expressions used to identify parts of the resource content
    in XACML 2.0 need not be changed."

    I don't see why these are kept when <Subject>, <Action>, etc. are
    changed, and path expressions used to identify parts of XML
    element-valued Attributes in those other sections will have to
    change.

    While we are at it, is there a good reason why "ResourceContent"
    can't be an XML element-valued Attribute just as Subject, Action,
    and Environment Attribute values that are XML elements are?

3. This comment comes from Erik: For the delegate category, we need
    a way to distinguish a category not being present from a particular
    Attribute not being present.  Lack of a delegate category is how
    an access policy is distinguished from an administrative policy.
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692