OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-comment] Suggestion for the XACML MAP Authorization Profile and others

Generally there is a tendency to avoid duplicating information within a document to reduce the possibility of accidentally updating one part of the profile and forgetting to update the other.


The conformance section is intended to simply specify what parts of the spec (described elsewhere) are mandatory to implement. The general question is how much of the MTI sections in question need to be repeated in the conformance section. I guess our general answer has been” only enough to unambiguously indicate what is required for conformance.


There is an argument that implementers should always make use of the section defining the functionality because there many be important details which do not appear elsewhere. It is not clear to me that having some but not all additional information repeated in the conformance section is really useful.


WRT to the items you want to add:


Datatype should always be specified by a profile


Category can potentially be a list of permitted categories, such as “all subject types”, “only resource and action”, etc.


I don’t see how a profile can specify anything about Issuer. This is generally deployment-specific.





From: David Brossard [mailto:david.brossard@axiomatics.com]
Sent: Saturday, July 12, 2014 10:38 AM
To: xacml; xacml-comment@lists.oasis-open.org
Subject: [xacml-comment] Suggestion for the XACML MAP Authorization Profile and others




I just noticed that in the XACML MAP Authorization Profile's conformance section (http://docs.oasis-open.org/xacml/xacml-map-authz/v1.0/cs01/xacml-map-authz-v1.0-cs01.html#_Toc385259568), the mandatory attributes are only described in terms of their identifiers.


This means that both the category, the datatype, and optionally the issuer must be looked up wherever the attribute is first defined in the profile.


For this profile and others, it would be great to have a conformance table that summarizes all the parts of an attribute definition. Or is there a reason we never did it that way?


My apologies for this late comment.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]