Re: [xacml] x500

• urn:oasis:names:tc:xacml:1.0:function:x500Name-match

This function shall take two arguments of "urn:oasis:names:tc:xacml:2.0:data-type:x500Name" and shall return an "http://www.w3.org/2001/XMLSchema#boolean". It shall return “True” if and only if the first argument matches some terminal sequence of RDNs from the second argument when compared using x500Name-equal.

proposed change:

• urn:oasis:names:tc:xacml:1.0:function:x500Name-match

This function shall take two arguments of "urn:oasis:names:tc:xacml:2.0:data-type:x500Name" and shall return an "http://www.w3.org/2001/XMLSchema#boolean". It SHALL return “True” if and only if the entire first argument matches the terminal sequence of RDNs from the second argument when compared using x500Name-equal.

i made the first change to correct the perception that only a portion of the first argument must be matched. using the example in the thread this:

first argument: ou=hello,o=oasis

second argument: dn=alice,ou=xacml,o=oasis

would be false.

i made the second change to be precise, effectively stating that comparison must start at the last RDN on each string and work backwards. therefore this:

first argument: dn=alice,ou=xacml

second argument: dn=alice,ou=xacml,o=oasis

would be false

and this:

first argument: ou=xacml,o=oasis

second argument: dn=alice,ou=xacml,o=oasis

would be true.

despite the plural nature of the text, i think the intent of this function was to allow 1:n RDNs to match. if so, then we should modify this:

sequence of RDNs

to say this:

sequence of one or more RDNs

making this true:

first argument: o=oasis

second argument: dn=alice,ou=xacml,o=oasis

if not, then we should clarify and say this:

sequence of two or more RDNs

making this an ERROR:

first argument: o=oasis

second argument: dn=alice,ou=xacml,o=oasis

because you cannot have single RDN for first argument in this definition.

thoughts?

xacml message