[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: WS-XACML Working Draft 9, 18 July 2007
Colleagues, This is my last revision of WS-XACML. WD9 documents are linked from the XACML TC Web Page under "Work in Progress". WD9 attempts to close all open WS-XACML issues; the issues list has been updated to reflect these as "PENDING REVIEW": 55. WS-XACML:Address policy references in a Requirements element containing a PolicySet 56. WS-XACML:Add optional "Preference" XML attribute to Apply element 57. WS-XACML:Restrictions on XPath expression to support matching Attribute references 58. WS-XACML:Handle P3P 1.0 POLICY/STATEMENT/NON-IDENTIFIABLE in an XACMLPrivacyAssertion 59. WS-XACML:Allow restricted regular expression functions in XACMLAssertion 84. WS-XACML: limit-scope functions will not work as described I had to stop recording changes before completing this draft because there were so many that OpenOffice started crashing. Here is a complete list of the significant changes: - Moved "XACML Authorization Token" and "Conveying XACML Attributes in a SOAP Message" to SAML Profile WD 3. Removed corresponding text from Introduction. Added reference in non-normative Appendix. [TC decided to do this to focus WS-XACML on the XACML Assertions] - Replaced use of xacml:Apply with ws-xacml:Constraint to add ValuePreference XML attribute [TC decided not to extend the core version of Apply; asked to have new element created for WS-XACML] - Clarified that Capabilities are ANDed after being matched to create an agreement; when not selected as part of a particular agreement via matching against other Requirements, they are ORed. [clarification of semantics] - Permitted use of xacml:Obligations in Requirements that are Policy or PolicySet elements [no reason not to allow Obligations in these formats, since they are not designed for Assertion matching other than matching a Request against policies] - Changed xacml-context:ResourceContent in Capabilities to ws-xacml:PolicyDocument [Since ResourceContent went away in XACML 3.0; also clarifies intent] - Defined permitted XPath expressions more rigorously [there is an informal proof that the specified syntax is sufficient to produce a unique mapping of a node to a path; theorists may be able to suggest additional syntax that could be supported while still allowing Constraint matching] - Removed "limit-scope:all" and "limit-scope:atLeastOne" functions [since they would not work as described; no easy solution as documented in Issues] - Defined intersection of time functions [must use time-in-range and specifies algorithm for each case] - Specified references for regexp expressions and their intersection - Renamed Vocabulary element to VocabularyRef [to make it more clear that the element refers to a vocabulary specification, but does not itself define a vocabulary] - Added optional ReferencedPolicies element to Requirements - Added "Sufficient" XML attribute to Requirements [way to indicate that no additional requirements will be imposed at interaction time; leave it false if you don't like it] - Created schemas for each version of XACML and validated them [WS-XACML will work with any version of XACML; the schemas have minor differences in addition to the namespace differences] - Added Conformance section [as highly recommended by OASIS] - Non-normative Appendix suggests ways to manage WS-XACML policies as part of the enterprise policy set [Rich's request] - Changed document name and identifier from "v1.0" to "v1" [just to make things simpler] Comments and replacement editor volunteer welcome. I will no longer be an OASIS member after August 10 (effectively after August 3). Regards, Anne -- Anne H. Anderson, Sun Microsystems Laboratories 1 Network Drive,UBUR02-311, Burlington, MA 01803-0902 USA Tel: 781/442-0928 Fax: 781/442-0399 Email: Anne.Anderson@Sun.COM until 10 August 2007 Email: Anne.Anderson@alum.swarthmore.edu after 10 August 2007
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]