Issue 71, Treating different subject categories as different entities

[Erik Rissanen <erik@axiomatics.com>]

All,

Issue 71 proposes that multiple Attributes elements with the same 
category should be treated as distinct elements.

This is contrary to how it was in 2.0 and how 3.0 is currently.

I propose that we do not adopt the proposal and that issue 71 is closed 
without action.

There are two reasons for this:

1) A minor reason is that it clashes with the multiple request syntax. 
But this would be trivial to fix by introducing some other syntax for 
the multiple requests.

2) It significantly changes the behavior of the very basics of XACML.

The current AttributeDesignator functionality breaks since then it is no 
longer clear which particular instance of an <Attributes> element an 
attribute designator refers to. All uses of AttributeDesignators in 
targets would have to be qualified with either a) which instance it 
refers to (how do we identify instances), b) that the Match requires 
"Any" of the elements to match or c) that the Match requires "All" of 
the elements to match.

Similarly the attribute designator could not be used in <Apply> 
expressions as it is today. Some for of qualification would be needed 
there as well.

This complicates all XACML policies since policy writers now have to 
consider the cases when an element accurs once or multiple times, even 
if they would be doing "regular" XACML requests like they always have done.

And it breaks compatibility with 2.0 since there is no obvious way to 
decide how to relate a 2.0 target/condition to the new proposed request 
model.

I don't think these complications are worth it.

Best regards,
Erik