[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: New Issue#79: Incorrect use of multiple subjects
PROBLEM SUMMARY: The XACML specifications 1.0 through 2.0 contain references to "subject-category" as an AttributeId of a Subject, rather than an XML attribute of the <Subject> element and of a SubjectAttributeDesignator. These references appear to be left over from a preliminary design for handling multiple subjects, and are confusing to XACML users. RECOMMENDATION: Delete the subject-category AttributeId in XACML 3.0 and delete sections of the specification that reference it. The XACML 2.0 Errata should show the subject-category AttributeId as deprecated. The incorrect usages are: XACML 1.0: - 2.4 Multiple subjects * .. An attribute called "subject-category" is used to differentiate between subjects acting in different capacities. Some standard values for this attribute are specified, and users may define additional ones. - B.5. Subject attributes * This identifier indicates the subject category. "access-subject" is the default value. urn:oasis:names:tc:xacml:1.0:subject-category XACML 2.0: - 4.2.2 Example request context ... <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject-category" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>urn:oasis:names:tc:xacml:1.0:subject-category:access-subject</AttributeValue> </Attribute> ... </Subject - B.4 Subject attributes: * This identifier indicates the subject category. "access-subject" is the default value. urn:oasis:names:tc:xacml:1.0:subject-category I have listed this as OPEN with myself as the Champion. Regards, Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]