Subject: RE: [xacml-comment] Possible typos in XACML 3.0 Core specification (SubjectCategory, PolicyIdentifierList)
I will offer my opinions, but I defer in advance to Erik.
#1. I think you are right. We missed removing SubjectCategory from this section.
#2. You have a point. The phrase “the <Condition>” is not correct, since a policy may have more than one rule and hence more than one <Condition> element. I think the original intent would be better met by saying that for a PolicySet the Target must match and for a Policy the Target must match and at least one of the Conditions in the Rules must evaluate to true.
Your suggestion would include policies in which the Target matched, but there were no applicable Rules, which doesn’t quite correspond to my notion of an Applicable Policy.
In any event it seems we will need to create and process an errata document.
1) The mention of 'SubjectCategory' attribute in section 8.1:
This attribute does not exist anymore in XACML 3.0 model, so I assume it should be removed from the list of extensible XML attribute types.
2) The definition of an applicable policy to be returned in <PolicyIdentifierList>, section 5.48:
It says: "all policies where both the <Target> matched and the <Condition> evaluated to true...". Since <Condition> is only in a <Rule>, shouldn't the text say only this instead "all policies where the <Target> matched" (period) ?
Thanks for any clarification if I'm wrong.
Cyril Dangerville, CISSP