WS-XACML Working Draft 9, 18 July 2007

[Anne Anderson <Anne.Anderson@sun.com>]

Colleagues,

This is my last revision of WS-XACML.  WD9 documents are linked from the 
XACML TC Web Page under "Work in Progress".

WD9 attempts to close all open WS-XACML issues; the issues list has been 
updated to reflect these as "PENDING REVIEW":

55. WS-XACML:Address policy references in a Requirements element 
containing a PolicySet
56. WS-XACML:Add optional "Preference" XML attribute to Apply element
57. WS-XACML:Restrictions on XPath expression to support matching 
Attribute references
58. WS-XACML:Handle P3P 1.0 POLICY/STATEMENT/NON-IDENTIFIABLE in an 
XACMLPrivacyAssertion
59. WS-XACML:Allow restricted regular expression functions in XACMLAssertion
84. WS-XACML: limit-scope functions will not work as described

I had to stop recording changes before completing this draft because 
there were so many that OpenOffice started crashing.  Here is a complete 
list of the significant changes:

- Moved "XACML Authorization Token" and "Conveying XACML
   Attributes in a SOAP Message" to SAML Profile WD 3.  Removed
   corresponding text from Introduction. Added reference in
   non-normative Appendix. [TC decided to do this to focus
   WS-XACML on the XACML Assertions]

- Replaced use of xacml:Apply with ws-xacml:Constraint to add
   ValuePreference XML attribute [TC decided not to extend the
   core version of Apply; asked to have new element created for
   WS-XACML]

- Clarified that Capabilities are ANDed after being matched to
   create an agreement; when not selected as part of a particular
   agreement via matching against other Requirements, they are
   ORed. [clarification of semantics]

- Permitted use of xacml:Obligations in Requirements that are
   Policy or PolicySet elements [no reason not to allow
   Obligations in these formats, since they are not designed for
   Assertion matching other than matching a Request against
   policies]

- Changed xacml-context:ResourceContent in Capabilities to
   ws-xacml:PolicyDocument [Since ResourceContent went away in
   XACML 3.0; also clarifies intent]

- Defined permitted XPath expressions more rigorously [there
   is an informal proof that the specified syntax is sufficient to
   produce a unique mapping of a node to a path; theorists may be
   able to suggest additional syntax that could be supported while
   still allowing Constraint matching]

- Removed "limit-scope:all" and "limit-scope:atLeastOne"
   functions [since they would not work as described; no easy
   solution as documented in Issues]

- Defined intersection of time functions [must use time-in-range
   and specifies algorithm for each case]

- Specified references for regexp expressions and their
   intersection

- Renamed Vocabulary element to VocabularyRef [to make it more
   clear that the element refers to a vocabulary specification,
   but does not itself define a vocabulary]

- Added optional ReferencedPolicies element to Requirements

- Added "Sufficient" XML attribute to Requirements [way to
   indicate that no additional requirements will be imposed at
   interaction time; leave it false if you don't like it]

- Created schemas for each version of XACML and validated
   them [WS-XACML will work with any version of XACML; the schemas
   have minor differences in addition to the namespace
   differences]

- Added Conformance section [as highly recommended by OASIS]

- Non-normative Appendix suggests ways to manage WS-XACML
   policies as part of the enterprise policy set [Rich's request]

- Changed document name and identifier from "v1.0" to "v1" [just
   to make things simpler]

Comments and replacement editor volunteer welcome.  I will no longer be 
an OASIS member after August 10 (effectively after August 3).

Regards,
Anne
-- 
Anne H. Anderson, Sun Microsystems Laboratories
1 Network Drive,UBUR02-311, Burlington, MA 01803-0902 USA
Tel: 781/442-0928  Fax: 781/442-0399
Email: Anne.Anderson@Sun.COM until 10 August 2007
Email: Anne.Anderson@alum.swarthmore.edu after 10 August 2007