Re: [xacml] Groups - xacml-3.0-administration-v1.0-wd30-diff.doc uploaded

[Steven Legg <steven.legg@viewds.com>]

Hi Hal,

Since there is now an explicit statement that a request from a PEP shall not
use the "delegate" and "delegation-info" categories and the "delegated:" prefix,
the handling of xpathExpression values in Section 4.5 can be simplified.

The only place an xpathExpression value with an XPathCategory equal to the
"delegate" category URI can appear is in the "delegate" category. This is because
the <Attributes> mapped in 1.b and 1.d originate from the access request, which
is now prohibited from using the "delegate" category, and a "delegation-info"
category created in step 3 contains only a single string value. Consequently,
step 1.a doesn't need to say anything about XPathCategory. The affected values
can only be in the <Attributes> element with no corresponding part in A. The
text can revert to what it was previously, i.e.:

    a.  An <Attributes> element with Category equal to “urn:oasis:names:tc:xacml:3.0:attribute-category:delegate” in R has no corresponding part in A.

The request R will either contain no <Attributes> elements of the kind covered
by step 1.d, or contain only <Attributes> elements of the kind covered in 1.d.
In particular, request R can't contain a mix of 1.b and 1.d. Consequently,
step 1.b doesn't need to say anything about XPathCategory. All the xpathExpression
values in R have either already been mapped or are ignored because they are in the
"delegate" category. This text can also revert to what it was previously, i.e.:

    b.  An <Attributes> element with Category which starts with the prefix “urn:oasis:names:tc:xacml:3.0:attribute-category:delegated:” maps to an identical <Attributes> element.

The <Attributes> elements of the kind covered by 1.b and 1.d are prohibited from
using "delegation-info" as the XPathCategory of an xpathExpression value,
<Attributes> elements of the kind covered in 1.c don't contain xpathExpression
values, and attributes in the "delegate" category are going to be ignored.
Consequently, step 1.c doesn't need to say anything about XPathCategory and
this text can revert to what it was previously, i.e.:

    c.  An <Attributes> element with Category equal to “urn:oasis:names:tc:xacml:3.0:attribute-category:delegation-info” in R has no corresponding part in A. (Note, a new delegation-info category is created, see point 3 below.)

Step 1.d is the only one that needs to say anything about XPathCategory, but the
new text contains an inherent contradiction in that it says that the <Attributes>
element has identical contents in A. They aren't identical if we are mapping
XPathCategory values. The final "and a <Content> element containing identical
contents" is also redundant and belongs in the previous sentence, if anywhere.
I suggest the following wording:

    d.  An <Attributes> element with any other Category in R maps to an <Attributes> element with the Category prefixed with “urn:oasis:names:tc:xacml:3.0:attribute-category:delegated:” and identical contents in A, except for the XPathCategory URI of any attribute value of type “urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression”, which SHALL also be prefixed with “urn:oasis:names:tc:xacml:3.0:attribute-category:delegated:”.

We don't need to be selective about which XPathCategory values need to be
prefixed because the URIs we wouldn't prefix are prohibited from being used
here.

Step 2 is mangled. It can revert to what it said previously, i.e.:

    2.  A contains an <Attributes> element with Category equal to “urn:oasis:names:tc:xacml:3.0:attribute-category:delegate” and contents identical to the <PolicyIssuer> element from P.

We can assume that any XPathCategory values placed in a <PolicyIssuer> element
are already mapped. Since attribute selectors will barf on an XPathCategory value
that is different from the Category of the <Attributes> element containing it,
the only sensible value to use here is “urn:oasis:names:tc:xacml:3.0:attribute-category:delegate”,
which we wouldn't ever prefix.

Regards,
Steven