Re: FW: [xacml] Groups - Export Control - U.S. (EC-US)

[Erik Rissanen <erik@axiomatics.com>]

Martin,

Maybe I don't understand this, but do you suggest that there is some 
other attribute such as 
urn:oasis:....:country-code-variant="three-letters" in the request? And 
then the actual country codes are as specified by this attribute.

That would mean that a policy has to handle both variants of country 
codes and check the value of this country-code-variant attribute. The 
policies would be more complex because of this, so I don't think this 
would be a good idea.

Or do you mean that there are two country code attributes: 
urn:oasis:...:3-letter-nationality and 
urn:oasis:...:2-letter-nationality and that both have to be present in a 
request? with this approach policies would be simple, but the request 
would be unnecessary large and implementers still need to get hold of 
the 3 letter spec which costs money.

I don't know about the country code schemes, but I think we should 
choose the set of codes which is most accurate and if possible, the most 
general in the sense that all the other codes can be mapped to it.

Will the country codes be used in policies to permit access or to deny 
access? It would matter if mapping from other code tables is not 
entirely accurate.

BTW, how much does the 3-letter spec cost?

Best regards,
Erik

Smith, Martin wrote:
> Or, in general, one could include elements for both code Id and code
> value, thereby supporting multiple codes. 
>
> Also in general, process-specific schemas should probably be based on
> what the process participants actually use. In this case, I think
> there's a World Customs Organization in Brussels that could tell you
> what is used for counter coding in international trade.
>
> http://en.wikipedia.org/wiki/World_Customs_Organization
>
>
> Martin
>
>
>
> Martin F. Smith
> Director, National Security Systems
> US Department of Homeland Security
> NAC 19-410
> (202) 447-3743 desk
> (202) 441-9731 mobile
> (800) 417-6930 page
>  
>
> -----Original Message-----
> From: xacml-return-1399-martin.smith=dhs.gov@lists.oasis-open.org
> [mailto:xacml-return-1399-martin.smith=dhs.gov@lists.oasis-open.org] On
> Behalf Of Anil Saldhana
> Sent: Friday, May 22, 2009 10:32 AM
> To: Tyson, Paul H
> Cc: Erik Rissanen; Tolbert, John W; XACML TC
> Subject: Re: FW: [xacml] Groups - Export Control - U.S. (EC-US)
>
> To the xacml list - some comments from Paul.
>
> Tyson, Paul H wrote:
>   
>> I am not yet an OASIS member so cannot post to xacml list.  Will one
>>     
> of
>   
>> you please forward my comments?
>>
>>   
>>     
>>> -----Original Message-----
>>> From: Anil Saldhana [mailto:Anil.Saldhana@redhat.com] 
>>> Sent: Thursday, May 21, 2009 23:36
>>> To: Erik Rissanen
>>> Cc: Tolbert, John W; xacml@lists.oasis-open.org; Tyson, Paul H
>>> Subject: Re: FW: [xacml] Groups - Export Control - U.S. (EC-US)
>>>
>>>
>>> The 3 letter country codes are the current standard (ISO) and 
>>> the choice of implementers.
>>> We should stick to 3 letter codes in the specification.
>>>
>>>     
>>>       
>> From the ISO3166 FAQ: "The alpha-2 code is the most widely used one of
>> the three and apart from that it is the basis for other coding systems
>> which attach further alphabetical or numeric characters to the alpha-2
>> code elements. Examples are the currency codes from ISO 4217 or the
>> UN/LOCODE."
>>
>>     
> (http://www.iso.org/iso/country_codes/iso_3166-faqs/iso_3166_faqs_genera
>   
>> l.htm)
>>
>> But popularity alone is not a good enough reason to recommend it.  For
>> me, another determining factor was that ISO provides a normative
>>     
> version
>   
>> of the 2-letter codes on their website
>> (http://www.iso.org/iso/country_codes/iso_3166_code_lists.htm), but
>>     
> the
>   
>> normative 3-letter codes are only available in purchased products.
>>
>> I agree with Erik that for maximum interoperability, the profile
>>     
> should
>   
>> strongly recommend one coding system; I would not oppose "MUST" here.
>>
>> The primary use case is if US government agencies wrote policies using
>> this profile.  Anything less than "MUST" would leave open the
>> possibility of variant versions of the policies, which would make more
>> work for everyone.
>>
>> --Paul 
>>   
>>     
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>
>