OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: samlp:XACMLPolicyQuery Target element

Colleagues,

Currently, in the SAML 2.0 Profile of XACML 2.0, an XACMLPolicyQuery 
element is used by a PDP to request policies from an on-line Policy 
Administration Point.  There policies to be returned are specified using 
one or more of the following elements:
---------------------Taken from XACML 2.0 Profile------------>
<xacml-context:Request> [Any Number]
Supplies an XACML Request Context.  All XACML <xacml:Policy> and 
<xacml:PolicySet> instances applicable to this Request SHALL be 
returned.  The concept of “applicability” in the XACML context is 
defined in the XACML 2.0 Specification [XACML].

<xacml:Target> [Any Number]
Supplies an XACML <xacml:Target> instance.  All XACML <xacml:Policy> and 
<xacml:PolicySet> instances applicable to this <Target> SHALL be returned.

<xacml:PolicySetIdReference> [Any Number]
Identifies an XACML <xacml:PolicySet>  instance to be returned.

<xacml:PolicyIdReference> [Any Number]
Identifies an XACML <xacml:Policy> instance to be returned.

If the <xacml-samlp:XACMLPolicyQuery> contains no element instances, 
then the Policy Administration Point SHOULD return all policies that are 
authorized and appropriate for use by the requester.
<--------------------End of extract from XACML 2.0 Profile---------

There is a potential problem with use of the <xacml:Target> element, 
because we do not specify how to determine *policies* that are 
"applicable" to a Target.

Here are some possible options for dealing with this:

1. Say something like "Return all Policy and PolicySet instances that 
are applicable to any Request to which this Target is applicable.  The 
means for determining such policies is unspecified."

2. Say "Return all Policy and PolicySet instances whose top-level Target 
exactly matches this Target.  The matching algorithm is unspecified."

3. Remove this element from the XACMLPolicyQuery.

I recommend #3.

Regards,
Anne
-- 
Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]