[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] XACML 3.0 and deprecated identifiers
Hi David, On 11/10/2017 7:29 PM, David Brossard wrote:
Neither 10.2.8 or A.3.12 explicitly mention the replacement / deprecation i.e. I have to assume that function-1.0-any-of is replaced with function-3.0-any-of. It is /obvious/ but then again obvious is not always right, is it :-)
I would say that they don't mention it because they don't need to. The goal of the specification is to specify how to implement XACML 3.0. It isn't a goal of the specification to tell folks how to upgrade from earlier versions of XACML, though there are hints littered about. The conformance clauses tell us that urn:oasis:names:tc:xacml:3.0:function:any-of and urn:oasis:names:tc:xacml:1.0:function:any-of are mandatory to implement. The former is defined in the specification, but the latter is not, so we must look for it in the earlier versions. They are simply different functions that we must support for XACML version 3.0 and there is no requirement anywhere for any XACML version 3.0 component to substitute one for the other. Simply put, we can implement XACML 3.0 without assuming there is any relationship between the two functions. Where the implementer must make assumptions is with the type-* functions because the identifiers are not explicitly linked to the function definitions. Take the type-bag function (in A.3.10) as an example. For most types we can find only one identifier that appears to match the right pattern, e.g., for the boolean type it is urn:oasis:names:tc:xacml:1.0:function:boolean-bag, so we assume that is the correct identifier. For dayTimeDuration and yearMonthDuration we have a problem because we find two possible matches for each (and they are both mandatory). It is only by noting that one of the identifiers appears in the list of identifiers planned for future deprecation that we assume that A.3.10 means to be defining the other one. That part of the specification could have been more rigorous. We still don't need to assume a relationship between the old identifier and the new identifier to implement XACML version 3.0. Regards, Steven
On Wed, Oct 11, 2017 at 12:10 AM, Steven Legg <steven.legg@viewds.com <mailto:steven.legg@viewds.com>> wrote: Hi David, On 11/10/2017 12:42 AM, David Brossard wrote: Hi The XACML spec mentions that there are deprecated identifiers. There are 2 places where this happens: * 10.2.9 Identifiers planned for future deprecation * A.4 Functions, data types, attributes and algorithms planned for deprecation Why do we have 2 sections? They are inconsistent. I then compiled the 2 lists and came up with this table. You will notice that some of the identifiers do not have an explicit replacement. Why is that? The replacements are listed in 10.2.8. The relationship between old and new is implied for the dayTimeDuration-* and yearMonthDuration-* functions because these functions are defined by the catch-all type-bag, type-bag-size, etc. functions. The function definitions for all-of, any-of, any-of-any and map in A.3.12 explicitly use the new identifiers. BTW, did you see Cyril's comments on the JSON profile? https://lists.oasis-open.org/archives/xacml-comment/201709/msg00000.html <https://lists.oasis-open.org/archives/xacml-comment/201709/msg00000.html> Regards, Steven Old New http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration <http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration> http://www.w3.org/2001/XMLSchema#dayTimeDuration <http://www.w3.org/2001/XMLSchema#dayTimeDuration> http://www.w3.org/TR/2002/WD-xquery-operators-20020816#yearMonthDuration <http://www.w3.org/TR/2002/WD-xquery-operators-20020816#yearMonthDuration> http://www.w3.org/2001/XMLSchema#yearMonthDuration <http://www.w3.org/2001/XMLSchema#yearMonthDuration> urn:oasis:names:tc:xacml:1.0:function:date-add-yearMonthDuration urn:oasis:names:tc:xacml:3.0:function:date-add-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:date-subtract-yearMonthDuration urn:oasis:names:tc:xacml:3.0:function:date-subtract-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-add-dayTimeDuration urn:oasis:names:tc:xacml:3.0:function:dateTime-add-dayTimeDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-add-yearMonthDuration urn:oasis:names:tc:xacml:3.0:function:dateTime-add-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-subtract-dayTimeDuration urn:oasis:names:tc:xacml:3.0:function:dateTime-subtract-dayTimeDuration urn:oasis:names:tc:xacml:1.0:function:dateTime-subtract-yearMonthDuration urn:oasis:names:tc:xacml:3.0:function:dateTime-subtract-yearMonthDuration urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-equal urn:oasis:names:tc:xacml:3.0:function:dayTimeDuration-equal urn:oasis:names:tc:xacml:1.0:function:xpath-node-count urn:oasis:names:tc:xacml:3.0:function:xpath-node-count urn:oasis:names:tc:xacml:1.0:function:xpath-node-equal urn:oasis:names:tc:xacml:3.0:function:xpath-node-equal urn:oasis:names:tc:xacml:1.0:function:xpath-node-match urn:oasis:names:tc:xacml:3.0:function:xpath-node-match urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-equal urn:oasis:names:tc:xacml:3.0:function:yearMonthDuration-equal urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name urn:oasis:names:tc:xacml:3.0:subject:authn-locality:dns-name urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address urn:oasis:names:tc:xacml:3.0:subject:authn-locality:ip-address urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-deny-overrides urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-permit-overrides urn:oasis:names:tc:xacml:2.0:function:uri-string-concatenate urn:oasis:names:tc:xacml:3.0:function:string-from-anyURI urn:oasis:names:tc:xacml:1.0:function:all-of urn:oasis:names:tc:xacml:1.0:function:any-of urn:oasis:names:tc:xacml:1.0:function:any-of-any urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-at-least-one-member-of urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-bag urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-bag-size urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-intersection urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-is-in urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-one-and-only urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-set-equals urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-subset urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-union urn:oasis:names:tc:xacml:1.0:function:map urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-at-least-one-member-of urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-bag urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-bag-size urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-intersection urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-is-in urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-one-and-only urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-set-equals urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-subset urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-union -- David Brossard VP of Customer Relations +1 312 774-9163 +1 502 922 6538 +46(0)760 25 85 75 Axiomatics 525 W. Monroe Suite 2310 Chicago 60661 Support: https://support.axiomatics.com Web: http://www.axiomatics.com <http://www.axiomatics.com/> Axiomatics Blog <http://www.axiomatics.com/blog/> | Events <http://www.axiomatics.com/events.html> | Resources, Webinars & Whitepapers <http://www.axiomatics.com/resources.html> Connect with us on LinkedIn <http://www.linkedin.com/companies/536082> | Twitter <http://twitter.com/axiomatics> | Google + <https://plus.google.com/u/1/b/101496487994084529291/> | Facebook <https://www.facebook.com/axiomatics> | YouTube <http://www.youtube.com/user/axiomaticsab>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]