[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: New Issue#79: Incorrect use of multiple subjects
PROBLEM SUMMARY: The XACML specifications 1.0 through 2.0 contain
references to "subject-category" as an AttributeId of a Subject, rather
than an XML attribute of the <Subject> element and of a
SubjectAttributeDesignator. These references appear to be left over from
a preliminary design for handling multiple subjects, and are confusing
to XACML users.
RECOMMENDATION: Delete the subject-category AttributeId in XACML 3.0 and
delete sections of the specification that reference it. The XACML 2.0
Errata should show the subject-category AttributeId as deprecated.
The incorrect usages are:
XACML 1.0:
- 2.4 Multiple subjects
* .. An attribute called "subject-category" is used to
differentiate between subjects acting in different capacities. Some
standard values for this attribute are specified, and users may define
additional ones.
- B.5. Subject attributes
* This identifier indicates the subject category. "access-subject"
is the default value.
urn:oasis:names:tc:xacml:1.0:subject-category
XACML 2.0:
- 4.2.2 Example request context
...
<Subject>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject-category"
DataType="http://www.w3.org/2001/XMLSchema#anyURI";>
<AttributeValue>urn:oasis:names:tc:xacml:1.0:subject-category:access-subject</AttributeValue>
</Attribute>
...
</Subject
- B.4 Subject attributes:
* This identifier indicates the subject category. "access-subject"
is the default value.
urn:oasis:names:tc:xacml:1.0:subject-category
I have listed this as OPEN with myself as the Champion.
Regards,
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]