Typos in the XACML 2.0 standard?

[Erik Rissanen <erik@axiomatics.com>]

All,

The dnsName and ipAddress datatypes are missing from the list of data 
types identifiers in the conformance section. Their corresponding bag 
functions as missing as well (type-one-and-only, etc).

Unless there are objections, I will update the errata and the next 3.0 
working draft by adding the following identifiers:

urn:oasis:names:tc:xacml:2.0:data-type:ipAddress
urn:oasis:names:tc:xacml:2.0:data-type:dnsName

urn:oasis:names:tc:xacml:2.0:function:ipAddress-one-and-only
urn:oasis:names:tc:xacml:2.0:function:dnsName-one-and-only
urn:oasis:names:tc:xacml:2.0:function:ipAddress-bag-size
urn:oasis:names:tc:xacml:2.0:function:dnsName-bag-size
urn:oasis:names:tc:xacml:2.0:function:ipAddress-is-in
urn:oasis:names:tc:xacml:2.0:function:dnsName-is-in
urn:oasis:names:tc:xacml:2.0:function:ipAddress-bag
urn:oasis:names:tc:xacml:2.0:function:dnsName-bag

Note that I am using "2.0" in the identifiers since they are for 2.0 
data types, although the general section on bag functions just mentions 
"1.0". I think that section should also be updated.

For instance, it says:

· urn:oasis:names:tc:xacml:1.0:function:type-one-and-only
This function SHALL take a bag of ‘type’ values as an argument and SHALL 
return a value
of ‘-type’. It SHALL return the only value in the bag. If the bag does 
not have one and only
one value, then the expression SHALL evaluate to "Indeterminate".

It should say urn:oasis:names:tc:xacml:X.X:function:type-one-and-only, 
as it already says in other similar places.

For the other data types there are also set functions, such as union, 
intersection, etc. There are no set functions on dnsName and ipAddress 
in the list of function identifiers. I am not sure if that is by design 
or by mistake. The definitions of the set functions depend on the 
definition of the -equal function for the particular data type. But, 
there are no -equal functions defined for ipAddress and dnsName. There 
are -regexp-match for them though, so it might be by design. I suspect 
that it's a mistake. If so, the following identifiers need to be added 
as well:

urn:oasis:names:tc:xacml:2.0:function:ipAddress-equal
urn:oasis:names:tc:xacml:2.0:function:dnsName-equal

urn:oasis:names:tc:xacml:2.0:function:ipAddress-intersection
urn:oasis:names:tc:xacml:2.0:function:dnsName-intersection
urn:oasis:names:tc:xacml:2.0:function:ipAddress-at-least-one-member-of
urn:oasis:names:tc:xacml:2.0:function:dnsName-at-least-one-member-of
urn:oasis:names:tc:xacml:2.0:function:ipAddress-union
urn:oasis:names:tc:xacml:2.0:function:dnsName-union
urn:oasis:names:tc:xacml:2.0:function:ipAddress-subset
urn:oasis:names:tc:xacml:2.0:function:dnsName-subset
urn:oasis:names:tc:xacml:2.0:function:ipAddress-set-equals
urn:oasis:names:tc:xacml:2.0:function:dnsName-set-equals

Regards,
Erik