OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] XACML 3.0 and deprecated identifiers



Hi David,

On 11/10/2017 7:29 PM, David Brossard wrote:
Neither 10.2.8 or A.3.12 explicitly mention the replacement / deprecation i.e. I have to assume that function-1.0-any-of is replaced with function-3.0-any-of. It is /obvious/ but then again obvious is not always right, is it :-)

I would say that they don't mention it because they don't need to. The goal of the
specification is to specify how to implement XACML 3.0. It isn't a goal of the
specification to tell folks how to upgrade from earlier versions of XACML, though
there are hints littered about. The conformance clauses tell us that
urn:oasis:names:tc:xacml:3.0:function:any-of and
urn:oasis:names:tc:xacml:1.0:function:any-of are mandatory to implement. The
former is defined in the specification, but the latter is not, so we must look
for it in the earlier versions. They are simply different functions that we must
support for XACML version 3.0 and there is no requirement anywhere for any XACML
version 3.0 component to substitute one for the other. Simply put, we can
implement XACML 3.0 without assuming there is any relationship between the two
functions.

Where the implementer must make assumptions is with the type-* functions because
the identifiers are not explicitly linked to the function definitions. Take the
type-bag function (in A.3.10) as an example. For most types we can find only one
identifier that appears to match the right pattern, e.g., for the boolean type
it is urn:oasis:names:tc:xacml:1.0:function:boolean-bag, so we assume that is the
correct identifier. For dayTimeDuration and yearMonthDuration we have a problem
because we find two possible matches for each (and they are both mandatory). It is
only by noting that one of the identifiers appears in the list of identifiers
planned for future deprecation that we assume that A.3.10 means to be defining the
other one. That part of the specification could have been more rigorous. We still
don't need to assume a relationship between the old identifier and the new
identifier to implement XACML version 3.0.

Regards,
Steven


On Wed, Oct 11, 2017 at 12:10 AM, Steven Legg <steven.legg@viewds.com <mailto:steven.legg@viewds.com>> wrote:


    Hi David,

    On 11/10/2017 12:42 AM, David Brossard wrote:

        Hi

        The XACML spec mentions that there are deprecated identifiers. There are 2 places where this happens:

           * 10.2.9 Identifiers planned for future deprecation
           * A.4 Functions, data types, attributes and algorithms planned for deprecation

        Why do we have 2 sections? They are inconsistent.

        I then compiled the 2 lists and came up with this table. You will notice that some of the identifiers do not have an explicit replacement. Why is that?


    The replacements are listed in 10.2.8. The relationship between old and new is
    implied for the dayTimeDuration-* and yearMonthDuration-* functions because these
    functions are defined by the catch-all type-bag, type-bag-size, etc. functions.
    The function definitions for all-of, any-of, any-of-any and map in A.3.12
    explicitly use the new identifiers.

    BTW, did you see Cyril's comments on the JSON profile?
    https://lists.oasis-open.org/archives/xacml-comment/201709/msg00000.html <https://lists.oasis-open.org/archives/xacml-comment/201709/msg00000.html>

    Regards,
    Steven



        Old     New
        http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration <http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration> http://www.w3.org/2001/XMLSchema#dayTimeDuration <http://www.w3.org/2001/XMLSchema#dayTimeDuration>
        http://www.w3.org/TR/2002/WD-xquery-operators-20020816#yearMonthDuration <http://www.w3.org/TR/2002/WD-xquery-operators-20020816#yearMonthDuration> http://www.w3.org/2001/XMLSchema#yearMonthDuration <http://www.w3.org/2001/XMLSchema#yearMonthDuration>
        urn:oasis:names:tc:xacml:1.0:function:date-add-yearMonthDuration        urn:oasis:names:tc:xacml:3.0:function:date-add-yearMonthDuration
        urn:oasis:names:tc:xacml:1.0:function:date-subtract-yearMonthDuration   urn:oasis:names:tc:xacml:3.0:function:date-subtract-yearMonthDuration
        urn:oasis:names:tc:xacml:1.0:function:dateTime-add-dayTimeDuration      urn:oasis:names:tc:xacml:3.0:function:dateTime-add-dayTimeDuration
        urn:oasis:names:tc:xacml:1.0:function:dateTime-add-yearMonthDuration    urn:oasis:names:tc:xacml:3.0:function:dateTime-add-yearMonthDuration
        urn:oasis:names:tc:xacml:1.0:function:dateTime-subtract-dayTimeDuration         urn:oasis:names:tc:xacml:3.0:function:dateTime-subtract-dayTimeDuration
        urn:oasis:names:tc:xacml:1.0:function:dateTime-subtract-yearMonthDuration       urn:oasis:names:tc:xacml:3.0:function:dateTime-subtract-yearMonthDuration
        urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-equal     urn:oasis:names:tc:xacml:3.0:function:dayTimeDuration-equal
        urn:oasis:names:tc:xacml:1.0:function:xpath-node-count  urn:oasis:names:tc:xacml:3.0:function:xpath-node-count
        urn:oasis:names:tc:xacml:1.0:function:xpath-node-equal  urn:oasis:names:tc:xacml:3.0:function:xpath-node-equal
        urn:oasis:names:tc:xacml:1.0:function:xpath-node-match  urn:oasis:names:tc:xacml:3.0:function:xpath-node-match
        urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-equal   urn:oasis:names:tc:xacml:3.0:function:yearMonthDuration-equal
        urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides  urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides
        urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides        urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides
        urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides    urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides
        urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides  urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides
        urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name    urn:oasis:names:tc:xacml:3.0:subject:authn-locality:dns-name
        urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address  urn:oasis:names:tc:xacml:3.0:subject:authn-locality:ip-address
        urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-deny-overrides  urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-deny-overrides
        urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides        urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-permit-overrides
        urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-deny-overrides    urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-deny-overrides
        urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides  urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-permit-overrides
        urn:oasis:names:tc:xacml:2.0:function:uri-string-concatenate    urn:oasis:names:tc:xacml:3.0:function:string-from-anyURI
        urn:oasis:names:tc:xacml:1.0:function:all-of
        urn:oasis:names:tc:xacml:1.0:function:any-of
        urn:oasis:names:tc:xacml:1.0:function:any-of-any
        urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-at-least-one-member-of
        urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-bag
        urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-bag-size
        urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-intersection
        urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-is-in
        urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-one-and-only
        urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-set-equals
        urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-subset
        urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-union
        urn:oasis:names:tc:xacml:1.0:function:map
        urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-at-least-one-member-of
        urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-bag
        urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-bag-size
        urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-intersection
        urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-is-in
        urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-one-and-only
        urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-set-equals
        urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-subset
        urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-union





--
David Brossard
VP of Customer Relations
+1 312 774-9163
+1 502 922 6538
+46(0)760 25 85 75
Axiomatics
525 W. Monroe Suite 2310
Chicago 60661
Support: https://support.axiomatics.com
Web: http://www.axiomatics.com <http://www.axiomatics.com/>
Axiomatics Blog <http://www.axiomatics.com/blog/> | Events <http://www.axiomatics.com/events.html> | Resources, Webinars & Whitepapers <http://www.axiomatics.com/resources.html>
Connect with us on LinkedIn <http://www.linkedin.com/companies/536082> | Twitter <http://twitter.com/axiomatics> | Google + <https://plus.google.com/u/1/b/101496487994084529291/> | Facebook <https://www.facebook.com/axiomatics> | YouTube <http://www.youtube.com/user/axiomaticsab>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]