OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] New core and multiple resource profile

I don't recall all the details, but if I am correct, the plan was that 
for the obligation families, we define two new schemas:

- Obligation metadata declarations. These are processed by the PDP, but 
it's a separate schema from the core. This would contain the priority 
declaration.

- The result schema. We said earlier that we can wrap it inside a 
2.0/3.0 obligation as a parameter to a specific obligation, like this:

<Result>

  <Obligation>
    <AttributeAssignment 
AttributeId="urn:xacml:....:obligation-families-result">
       ... The new obligation families schema stuff here ...
    </AttributeAssignment>
  <Obligation>
</Result>

Doing it like this would make it independent of the core schema, and we 
could also support it for XACML 2.0.

there was another line of work on PDP metadata, which I see as separate 
of the obligation families feature. This would contain information such 
as supported features, function, algoirhtms, etc. As well we could link 
in the families declarations, etc. Again, I think this should be 
separate from the core schema.

Best regards,
Erik

Bill Parducci wrote:
> My thinking is that this information must be defined at the "root" 
> level of the PDP, which to me suggests that it be defined in the 
> Context Schema. I don't think that it can be "self-referential" (i.e. 
> a Policy construct) since that will invariably lead to ambiguity.
>
> Is the consensus that the PDP "meta" schema been scrapped in v3?
>
> thanks
>
> b
>
> On Mar 3, 2009, at 8:32 AM, Hal Lockhart wrote:
>
>> I was looking at the Obligation family draft this weekend and I 
>> noticed that for Exclusive mode, Obligations are supposed to have a 
>> priority associated with them. However, I cannot find priority 
>> anywhere. Is this supposed to be in the core schema? Or is there some 
>> reserved attribute which will contain the obligation priority? If it 
>> needs to go in the core schema we should do it now.
>>
>> Hal
>>
>>> -----Original Message-----
>>> From: Erik Rissanen [mailto:erik@axiomatics.com]
>>> Sent: Tuesday, March 03, 2009 5:26 AM
>>> To: XACML TC
>>> Subject: [xacml] New core and multiple resource profile
>>>
>>> All,
>>>
>>> I have posted new drafts of the core and the multiple resource profile.
>>> See the change logs and tracked changes for details.
>>>
>>> As far as I can tell, we don't have any open issues on the following
>>> specs:
>>>
>>> - Core
>>> - Multiple resource
>>> - Administration
>>> - Privacy
>>> - SAML
>>> - Dsig
>>>
>>> The hierarchical profile is being discussed currently and there was
>>> discussion about improving the RBAC profile.
>>>
>>> The proposed work on the RBAC profile seems in very early stages and 
>>> the
>>> issue (policies about management of roles) is a major topic, so I
>>> propose that we don't bring this in 3.0.
>>>
>>> So, could we agree on a feature freeze on the above mentioned profiles?
>>> If so, all of the expect hierarchical are ready for review before going
>>> to committee draft.
>>>
>>> I also propose that if we don't get resolutions on the issues in the
>>> hierarchical profile soon and it would appear that there are major
>>> changes required, then we use the old version of that profile. However,
>>> my understanding is that Rich has pretty much completed the work on
>>> that. I haven't had the time to review it myself yet, but I will do 
>>> so now.
>>>
>>> So, given the above, can we agree on the following?
>>>
>>> - everybody reviews the above mentioned profiles
>>> - We correct any mistakes
>>> - I will fix the metadata, references, namespaces, etc,
>>> - Go CD with the above
>>>
>>> One final issue: we need to update the acknowledgements section of the
>>> core. What goes in there? My name is not in there, and I would like to
>>> include it. :-) I presume that we keep all the old names, right? John
>>> Tolbert has requested to be added. Anybody else?
>>>
>>> Best regards,
>>> Erik
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe from this mail list, you must leave the OASIS TC that
>>> generates this mail.  Follow this link to all your TCs in OASIS at:
>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]